<<< Date Index >>>     <<< Thread Index >>>

Re: PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method



what happens when you add a customer 413 page
and the test script still says its vul ?

is the script not working ?

 ../bin/httpd -V
Server version: Apache/2.0.54
Server built:   Jul 25 2007 17:21:43
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/worker"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

grep 413 httpd.conf
     ErrorDocument 413 /error/413.html


./scan-413.sh localhost
localhost is VULNERABLE!