IBM Support

PK49295: CVE-2006-5752 MOD_STATUS CROSS-SITE SCRIPTING VULNERABILITY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • mod_status omits the charset tag from the display of a
    server-status report.  If ExtendedStatus is on, an attacker
    could make a malicious request appear in the server-status
    report and potentially cause a cross-site scripting exposure
    for an administrator viewing the report.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: IBM HTTP SERVER administrators with          *
    * ExtendedStatus set to On, viewing server-status page with    *
    * some browsers.                                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: A cross-site scripting attack is        *
    * possible using the mod_status reports typically used by web  *
    * server administrators.                                       *
    ****************************************************************
    * RECOMMENDATION: Apply this fix or enable the circumvention   *
    * if ExtendedStatus is set to On and server-status pages are   *
    * enabled.                                                     *
    ****************************************************************
    mod_status does not specify the charset of the response; in
    the absence of the charset information, some web browsers will
    scan the output to determine the charset.  That allows a cross-
    site scripting attack against an administrator viewing the
    server-status page with such browsers, if client request URLs
    are displayed in the report.  Client request URLs are displayed
    if ExtendedStatus is set to On.
    

Problem conclusion

  • mod_status was updated to specify the charset of its responses,
    thus correcting the potential vulnerability.
    In addition, mod_status was updated to escape non-ISO-8859-1
    characters in client request URLs which appear in the report.
    This fix is targeted for:
    Fix pack 6.1.0.13.
    Fix pack 6.0.2.23.
    Cumulative e-fix PK53584 for 2.0.47.1
    Cumulative e-fix PK55141 for 1.3.28.1
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK49295

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    61A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2007-07-19

  • Closed date

    2007-08-16

  • Last modified date

    2007-11-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60A PSN

       UP

  • R60H PSN

       UP

  • R60P PSN

       UP

  • R60I PSN

       UP

  • R60S PSN

       UP

  • R60W PSN

       UP

  • R60Z PSN

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022