786459 – httpd: Unsanitized SCRIPT_NAME variable leads to XSS flaws in CGI applications

Bug 786459 - httpd: Unsanitized SCRIPT_NAME variable leads to XSS flaws in CGI applications

Summary: httpd: Unsanitized SCRIPT_NAME variable leads to XSS flaws in CGI applications

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	786466
TreeView+	depends on / blocked

Reported:	2012-02-01 14:04 UTC by Jan Lieskovsky
Modified:	2021-02-24 13:14 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-24 12:01:00 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Lieskovsky 2012-02-01 14:04:04 UTC

A security flaw was found in the way httpd, Apache HTTP server, performed sanitization of the content of the SCRIPT_NAME environment variable prior passing it to the particular CGI (Common Gateway Interface) script. A remote attacker could provide a specially-crafted URL, which once processed by the Apache HTTP server and passed to the CGI application in the form of SCRIPT_NAME variable, could lead to cross-site (XSS) attack (arbitrary web script or HTML execution) if that CGI application relied on the content of SCRIPT_NAME variable to be safe.

Upstream bug report:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=10775

Upstream patch:
[2] https://issues.apache.org/bugzilla/attachment.cgi?id=13169&action=diff

Comment 2 Jan Lieskovsky 2012-02-01 14:09:22 UTC

This issue affects the version of the httpd package, as shipped with Red Hat Enterprise Linux 4.

--

This issue did NOT affect the versions of the httpd package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the versions of the httpd package, as shipped with Fedora release of 15 and 16.

Comment 3 Jan Lieskovsky 2012-02-01 14:16:51 UTC

Acknowledgements:

Red Hat would like to thank Maxim Rupp for reporting this issue.

Comment 4 Rich Megginson 2012-02-01 20:40:17 UTC

Is there a CVE?

Comment 5 Tomas Hoger 2013-04-24 12:01:00 UTC

Red Hat Enterprise Linux 4 is already in the Extended Life Phase, and this issue does not qualify for fix via Extended Lifecycle Support (ELS).  Closing.

Note You need to log in before you can comment on or make changes to this bug.