www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Cross Site Scripting security issue
Date Wed, 02 Feb 2000 19:22:12 GMT

As you may already be aware, today CERT released an advisory about
a security vulnerability that has been discovered associated with
malicious HTML tags (especially scripting tags) being embedded in
client web requests.  The common name currently associated with this
problem is "Cross Site Scripting", even though this name is not entirely
accurate in its description of the problem.

Please review the CERT advisory available at:


for more details.  Pay particular attention to their Tech Tip for
Web Developers, available at:


There are a number of ways in which this issue impacts Apache itself,
and many more ways in which it impacts sites developed using related
technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc.
that runs on top of Apache.  We have put together some information
about this and it is available at:


Please visit this page for more information if you think this
problem impacts your site or if you don't understand if the problem
impacts your site.  Included on this page are patches to Apache to
fix a number of related bugs and to add a number of features that
may be helpful in defending against this type of attack.  We expect to
release a new version of Apache in the immediate future that includes
these patches, but do not yet have an exact timeline planned for this

Please note that this issue does not in any way compromise the security
of your server directly.  All the issues related to this involve tricking
a client into doing something that is not what the user intends.

We expect to update our pages with more information in the future,
as more of the details of and consequences of this issue are

- --
     Marc Slemko     | Apache Software Foundation member
     marcs@znep.com  | marc@apache.org

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


View raw message