PT-2002-2150 · Apache · Apache Mod Ssl

Published

2002-11-04

Updated

2008-09-05

CVE-2002-1157

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Apache mod ssl module version 2.8.9 and earlier

Description: A cross-site scripting issue exists in the mod ssl Apache module. This occurs when UseCanonicalName is off and wildcard DNS is enabled, allowing remote attackers to execute scripts as other web site visitors. The attack vector involves the server name in an HTTPS response on the SSL port, which is used in a self-referencing URL.

Recommendations: For Apache mod ssl module version 2.8.9 and earlier, consider updating to a version where this issue is resolved, or as a temporary workaround, enable UseCanonicalName and disable wildcard DNS to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2002-1157

DSA-181

Affected Products

Apache Mod Ssl

PT-2002-2150 · Apache · Apache Mod Ssl

CVE-2002-1157

Related Identifiers

Affected Products

References · 16