SECURITY: CVE-2005-3352 (cve.mitre.org)

   mod_imap: Escape untrusted referer header before outputting in HTML
   to avoid potential cross-site scripting.  Change also made to
   ap_escape_html so we escape quotes.  Reported by JPCERT.
   [Mark Cox]

Reported by:	simon

1 files changed, 35 insertions, 0 deletions

diff --git a/www/apache13-modperl/files/patch-secfix-CAN-2005-3352 b/www/apache13-modperl/files/patch-secfix-CAN-2005-3352
new file mode 100644
index 000000000000..8febc0e58935
--- /dev/null
+++ b/www/apache13-modperl/files/patch-secfix-CAN-2005-3352
@@ -0,0 +1,35 @@
+--- src/main/util.c (original)
++++ src/main/util.c Mon Dec 12 08:36:54 2005
+@@ -1722,6 +1722,8 @@
+ 	    j += 3;
+ 	else if (s[i] == '&')
+ 	    j += 4;
++	else if (s[i] == '"')
++	    j += 5;
+ 
+     if (j == 0)
+ 	return ap_pstrndup(p, s, i);
+@@ -1739,6 +1741,10 @@
+ 	else if (s[i] == '&') {
+ 	    memcpy(&x[j], "&", 5);
+ 	    j += 4;
++	}
++	else if (s[i] == '"') {
++	    memcpy(&x[j], """, 6);
++	    j += 5;
+ 	}
+ 	else
+ 	    x[j] = s[i];
+
+--- src/modules/standard/mod_imap.c (original)
++++ src/modules/standard/mod_imap.c Mon Dec 12 08:36:54 2005
+@@ -328,7 +328,7 @@
+     if (!strcasecmp(value, "referer")) {
+         referer = ap_table_get(r->headers_in, "Referer");
+         if (referer && *referer) {
+-	    return ap_pstrdup(r->pool, referer);
++	    return ap_escape_html(r->pool, referer);
+         }
+         else {
+ 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
+