Apache fixes scripting flaw
By John Leyden, The Register Oct 4 2002 5:23AM
Apache is vulnerable to a number of cross-site scripting attacks.
According to a posting to BugTraq this week, the popular Web server platform is vulnerable due to "SSI error pages of the Web server not being properly sanitised of malicious HTML code".
Because of this, attacker-constructed HTML pages or script code may be executed on a web client visiting the malicious link placed on sites run using Apache. Cookie-based authentication credentials might be stolen using the attack or, worse, a number of arbitrary actions might be taken on a victim's machine.
A proof-of-concept exploit has been posted to BugTraq.
Previous versions of Apache on a wide variety of platform are potentially vulnerable, as explained in greater detail here.
Admins are advised to update their Web server software to either Apache versions 1.3.27 or 2.0.43, which are both resilient to the attack. These versions incorporate a fix, as explained in more depth on Apache's Web site, by security researcher Matthew Murphy, who reported the flaw. ®