Fixes are available
APAR status
Closed as program error.
Error description
mod_status omits the charset tag from the display of a server-status report. If ExtendedStatus is on, an attacker could make a malicious request appear in the server-status report and potentially cause a cross-site scripting exposure for an administrator viewing the report.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP SERVER administrators with * * ExtendedStatus set to On, viewing server-status page with * * some browsers. * **************************************************************** * PROBLEM DESCRIPTION: A cross-site scripting attack is * * possible using the mod_status reports typically used by web * * server administrators. * **************************************************************** * RECOMMENDATION: Apply this fix or enable the circumvention * * if ExtendedStatus is set to On and server-status pages are * * enabled. * **************************************************************** mod_status does not specify the charset of the response; in the absence of the charset information, some web browsers will scan the output to determine the charset. That allows a cross- site scripting attack against an administrator viewing the server-status page with such browsers, if client request URLs are displayed in the report. Client request URLs are displayed if ExtendedStatus is set to On.
Problem conclusion
mod_status was updated to specify the charset of its responses, thus correcting the potential vulnerability. In addition, mod_status was updated to escape non-ISO-8859-1 characters in client request URLs which appear in the report. This fix is targeted for: Fix pack 6.1.0.13. Fix pack 6.0.2.23. Cumulative e-fix PK53584 for 2.0.47.1 Cumulative e-fix PK55141 for 1.3.28.1
Temporary fix
Comments
APAR Information
APAR number
PK49295
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
61A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2007-07-19
Closed date
2007-08-16
Last modified date
2007-11-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60W PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 September 2022