Cross Site Scripting Info: Apache Specific


While reviewing the Apache code for any problems related to this problem, we have discovered a number of issues. Many of them are not bugs in Apache, but are places where Apache can do more to avoid being vulnerable to the Cross Site Scripting security problem. None of the changes fix any security holes in Apache itself that can compromise the server directly, but are focused towards its interaction with clients.

Included below is a summary of the current known issues and fixes, where available. This information will be expanded on as information becomes available and time permits.

Issues outstanding:

Fixes from CHANGES file:

These will be expanded on as time permits. These patches are available in the current Apache patch against Apache 1.3.11.

  *) Add an explicit charset=iso-8859-1 to pages generated by
     ap_send_error_response(), such as the default 404 page.
     [Marc Slemko]

  *) Add the AddDefaultCharset and AddDefaultCharsetName directives.
     These allow you to tell Apache to specify the given character
     set on any document that does not have one explicitly specified in
     the headers.  [Marc Slemko]

  *) Properly escape various messages output to the client from a number
     of modules and places in the core code.  [Marc Slemko]

  *) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
     not consider any parameters such as charset when making decisions
     based on content type.  This does remove some functionality for
     some users, but means that when these modules are configured to do
     particular things with particular MIME types, the charset should
     not be included.  A better way of addressing this for users who
     want to set things on a per charset basis is necessary in the future.
     [Marc Slemko]

  *) mod_include now entity encodes output from "printenv" and "echo var"
     by default.  The encoding for "echo var" can be set to URL encoding
     or no encoding using the new "encoding" attribute to the echo tag.
     [Marc Slemko]