SB2012111611 - Cross-site scripting in apache2 (Alpine package)
Published: November 16, 2012
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2012-2687)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, when processing a crafted filename that is not properly handled during construction of a variant list. Per http://httpd.apache.org/security/vulnerabilities_22.html versions 2.2.x before 2.2.23 are also vulnerable. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8c814a95fd7906f50766a235a472cdc2abdc5981
- https://git.alpinelinux.org/aports/commit/?id=3672383e469c6e838048e39c7457a7acc21e1fd0
- https://git.alpinelinux.org/aports/commit/?id=bf6e336a815b4e3caf0f33264f07c9f9a4efa429
- https://git.alpinelinux.org/aports/commit/?id=71147bc9839a1fbaa518c650b7937a42df8acc7a