Use the pcidss/v2.6 branch. https://github.com/goochjj/pound/archive/pcidss/v2.6.zip
https://github.com/goochjj/pound/tree/pcidss/v2.6 I’ve added the SNI optimization (one line fix)… And the XSS fix… since that’s in the spirit of the pcidss compliance branch anyway. Joe From: fatcha...@gmx.de [mailto:fatcha...@gmx.de] Sent: Tuesday, August 06, 2013 6:20 AM To: pound@apsis.ch Subject: Aw: RE: [Pound Mailing List] port 80 redirect and XSS Hi Joe, I´m glad to hear from you. We are using a 2.6f with a patch for ssl_renegotitation_and_ciphers_v2 and a patch for SNI_Optimization. Which Version can we use to keep the patches and get rid of our XSS-Problem ? Kind regards fatcharly Gesendet: Montag, 05. August 2013 um 18:34 Uhr Von: "Joe Gooch" <mrwiz...@k12system.com<mailto:mrwiz...@k12system.com>> An: 'Pound' <pound@apsis.ch<mailto:pound@apsis.ch>> Betreff: RE: [Pound Mailing List] port 80 redirect and XSS Are you using the stage for upstream 2.7b branch? Or running this patch? https://github.com/goochjj/pound/commit/8b29ed0e1a6760de395b64274c5de95ad05143fe.diff Joe From: fatcha...@gmx.de<mailto:fatcha...@gmx.de> [mailto:fatcha...@gmx.de] Sent: Monday, August 05, 2013 10:37 AM To: Pound Subject: [Pound Mailing List] port 80 redirect and XSS Hi, we are using pound on a centos 6 base and it works fine. A few days ago we had a security scan and now there is a problem with xss (cross site scripting). When the client connects on port 80 an ask about a link with bad code in it (GET /"><script>alert(document.domain)</script>.html HTTP/1.1), the pound-system replies with a 300-Code and the full request. Is it possible to filter or do a url-encoding/html-encoding before the 300-Reply gets back to the browser ? Or what else can we do to resolve this issue. Any suggestions are welcome kind regards fatcharly -- To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. Please contact ro...@apsis.ch for questions. -- To unsubscribe send an email with subject unsubscribe to pound@apsis.ch<mailto:pound@apsis.ch>. Please contact ro...@apsis.ch<mailto:ro...@apsis.ch> for questions.
