New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherokee Web Server handler_error.c cross-site scripting CVE-2006-1681 #1209

Open
godpit opened this Issue May 18, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@godpit

godpit commented May 18, 2018

how to resolve this problem, please?

@godpit

This comment has been minimized.

godpit commented May 18, 2018

Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.

@skinkie

This comment has been minimized.

Member

skinkie commented May 18, 2018

Is this issue still present in the latest version? We are much further than 2006 :)

@godpit

This comment has been minimized.

godpit commented May 18, 2018

I don't know where I used Cherokee Web Server. The error was scanned by the scanning tool.

@skinkie

This comment has been minimized.

Member

skinkie commented May 18, 2018

Which tool did you use, so I can try to reproduce the problem?

@godpit

This comment has been minimized.

godpit commented May 18, 2018

I don't know, this is the result of a third party security scanning company. Can you tell me where I will use the Cherokee Web Server? or scene?

@skinkie

This comment has been minimized.

Member

skinkie commented May 18, 2018

I'll see if I can reproduce it soon :)

@skinkie skinkie self-assigned this May 18, 2018

@skinkie skinkie added the p:high label May 18, 2018

@godpit

This comment has been minimized.

godpit commented May 18, 2018

The third party security scanning company scanned my port of the server, but i didn't use the '
cherokee' . This port is monitored by one of my web applications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment