On 7/18/07, Joe Orton <[EMAIL PROTECTED]> wrote:
On Wed, Jul 18, 2007 at 08:25:59AM -0400, Jeff Trawick wrote:
> On 6/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >Author: jorton
> >Date: Wed Jun 20 10:29:24 2007
> >New Revision: 549159
> >
> >URL: http://svn.apache.org/viewvc?view=rev&rev=549159
> >Log:
> >Fix CVE-2006-5752:
> >
> >* modules/generators/mod_status.c (status_handler): Specify charset in
> >content-type to prevent browsers doing charset "detection", which
> >allows an XSS attack. Use logitem-escaping on the request string to
> >make it charset-neutral.
>
> assert(
>
> The part of the fix that addresses the vulnerability is providing the
> charset; the escaping change is just for predictable display. So the
> following is a simple, understandable circumvention.
>
> <Location /server-status>
> SetHandler server-status
> AddDefaultCharset ISO-8859-1
> ...
> </Location>
>
> ) ???
That's all correct, yes, sorry if the wording is not clear above.
no worries; better safe than sorry; thanks as always!
