On Wed, Jul 18, 2007 at 08:25:59AM -0400, Jeff Trawick wrote: > On 6/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >Author: jorton > >Date: Wed Jun 20 10:29:24 2007 > >New Revision: 549159 > > > >URL: http://svn.apache.org/viewvc?view=rev&rev=549159 > >Log: > >Fix CVE-2006-5752: > > > >* modules/generators/mod_status.c (status_handler): Specify charset in > >content-type to prevent browsers doing charset "detection", which > >allows an XSS attack. Use logitem-escaping on the request string to > >make it charset-neutral. > > assert( > > The part of the fix that addresses the vulnerability is providing the > charset; the escaping change is just for predictable display. So the > following is a simple, understandable circumvention. > > <Location /server-status> > SetHandler server-status > AddDefaultCharset ISO-8859-1 > ... > </Location> > > ) ???
That's all correct, yes, sorry if the wording is not clear above. The logitem-escaping stuff is just to ensure the status output really is plain ISO-8859-1, a cosmetic change not necessary to fixing the vulnerability. joe
