On 6/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Author: jorton
Date: Wed Jun 20 10:29:24 2007
New Revision: 549159
URL: http://svn.apache.org/viewvc?view=rev&rev=549159
Log:
Fix CVE-2006-5752:
* modules/generators/mod_status.c (status_handler): Specify charset in
content-type to prevent browsers doing charset "detection", which
allows an XSS attack. Use logitem-escaping on the request string to
make it charset-neutral.
assert(
The part of the fix that addresses the vulnerability is providing the
charset; the escaping change is just for predictable display. So the
following is a simple, understandable circumvention.
<Location /server-status>
SetHandler server-status
AddDefaultCharset ISO-8859-1
...
</Location>
) ???
