Apache HTTP Server 存在模块跨站脚本漏洞

受影响系统 Apache Group Apache 2.2.x Apache Group Apache 2.0.x Apache Group Apache 1.3.x 不受影响系统 Apache Group Apache 2.2.6 Apache Group Apache 2.0.61 Apache Group Apache 1.3.39 描述 -------------------------------------------------------------------------------- BUGTRAQ ID: 24645 CVE(CAN) ID: CVE-2006-5752 Apache HTTP Server是一款流行的Web服务器。 Apache HTTP Server（httpd）的mod_status模块中的mod_status.c文件存在跨站脚本漏洞，远程攻击者可能利用此漏洞在用户的浏览器中执行恶意代码。 如果站点的server-status页面公开可访问且启用了ExtendedStatus的话，远程攻击者就可以在执行字符集检查的浏览器中通过没有指定content-type的页面注入并执行脚本或HTML代码。 <来源Stefan Esser （s.esser@ematters.de） 链接http://secunia./advisories/26273 http://httpd.apache./security/vulnerabilities_22.html http://httpd.apache./security/vulnerabilities_20.html http://svn.apache./viewvc?view=rev&revision=549159 https://bugzilla.redhat./long_list.cgi?buglist=245112 http://httpd.apache./security/vulnerabilities_13.html https://.redhat./support/errata/RHSA-2007-0533.html https://.redhat./support/errata/RHSA-2007-0557.html https://.redhat./support/errata/RHSA-2007-0556.html https://.redhat./support/errata/RHSA-2007-0534.html https://.redhat./support/errata/RHSA-2007-0532.html > 建议 -------------------------------------------------------------------------------- 厂商补丁 Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载 http://httpd.apache./download.cgi RedHat ------ RedHat已经为此发布了安全公告（RHSA-2007:0533-01、RHSA-2007:0556-01、RHSA-2007:0532-01、RHSA-2007:0557-01、RHSA-2007:0534-01）以及相应补丁: RHSA-2007:0533-01Moderate: httpd security update 链接https://.redhat./support/errata/RHSA-2007-0533.html RHSA-2007:0556-01Moderate: httpd security update 链接https://.redhat./support/errata/RHSA-2007-0556.html RHSA-2007:0532-01Moderate: apache security update 链接https://.redhat./support/errata/RHSA-2007-0532.html RHSA-2007:0557-01Moderate: httpd security update 链接https://.redhat./support/errata/RHSA-2007-0557.html RHSA-2007:0534-01Moderate: httpd security update 链接https://.redhat./support/errata/RHSA-2007-0534.html