Re: PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
what happens when you add a customer 413 page
and the test script still says its vul ?
is the script not working ?
../bin/httpd -V
Server version: Apache/2.0.54
Server built: Jul 25 2007 17:21:43
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/usr/local/apache2"
-D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
grep 413 httpd.conf
ErrorDocument 413 /error/413.html
./scan-413.sh localhost
localhost is VULNERABLE!