Apache HTTP Server mod_ssl "Host:" header cross-site scripting

apache-modssl-host-xss (10457) The risk level is classified as MediumMedium Risk


The mod_ssl authentication module is vulnerable to cross-site scripting, caused by improper filtering of server signature data by Server Side Include (SSI) error pages. If the 'UseCanonicalName' option is disabled and the wildcard Domain Name System (DNS) is enabled, a remote attacker could create a specially-crafted URL request containing URL encoded script that would cause a malicious HTTP "Host:" header to be submitted to the server. Once the victim clicks the URL and the HTTP "Host:" header is processed, the embedded script would then be executed in the victim's browser within the security context of the hosting site. An attacker could use this vulnerability to hijack Web content, steal the victim's cookie-based authentication credentials, and potentially compromise the affected Web server.


Gain Access


Upgrade to the latest version of mod_ssl (2.8.12-1.3.27 or later), available from the mod_ssl Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest libapache-mod-ssl package, as listed below. Refer to DSA-181-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 2.4.10-1.3.9-1potato4 or later

Debian GNU/Linux 3.0 (woody): 2.8.9-2.1 or later

For OpenPKG:
Upgrade to the latest apache package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.

OpenPKG 1.0: 1.3.22-1.0.6 or later
OpenPKG 1.1: 1.3.26-1.1.2 or later
OpenPKG CURRENT: 1.3.27-20021023 or later

For Mandrake Linux:
Upgrade to the latest mod_ssl package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2001:072 : fetchmail for more information. See References.

Linux-Mandrake 7.2 , 8.0, 8.1 and Single Network Firewall 7.2: 2.8.5-3.2mdk or later
Mandrake Linux 8.2: 2.8.7-3.2mdk or later
Mandrake Linux 9.0: 2.8.4-5.2mdk or later

For Gentoo Linux:
Upgrade to the latest net-www/mod_ssl package. Refer to Gentoo Linux Security Announcement 200210-009 for upgrade instructions. See References.

For EnGarde Secure Linux: Community Edition: Upgrade to the latest apache package (1.3.27-1.0.33 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021029-027. See References.

For Conectiva Linux:
Upgrade to the latest apache package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:541 for more information. See References.

Conectiva Linux 6.0: 1.3.26-1U60_5cl or later
Conectiva Linux 7.0: 1.3.26-1U70_8cl or later
Conectiva Linux 8.0: 1.3.26-1U80_5cl or later

For Red Hat Linux:
Upgrade to the latest apache, mod_ssl or httpd package, as listed below. Refer to RHSA-2002:222-21. See References.

Red Hat 6.2: 1.3.27-1.6.2 or later
Red Hat 7.0 and 7.1: 1.3.27-1.7.1 or later
Red Hat 7.2 and 7.3: 1.3.27-1.7.2 or later

Red Hat 7.0 and 7.1: 2.8.12-1.7 or later
Red Hat 7.2 and 7.3: 2.8.12-2 or later
Red Hat 8.0: 2.0.40-11 or later

Red Hat 8.0: 2.0.40-11 or later

For other distributions:
Contact your vendor for upgrade or patch information.


Platforms Affected:

  • Apache HTTP Server 1.3.26
  • Apache HTTP Server 1.3.9
  • Conectiva Linux 6.0
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Debian Debian Linux 2.2
  • Debian Debian Linux 3.0
  • EngardeLinux Secure Linux
  • Gentoo Linux
  • MandrakeSoft Mandrake Linux 7.2
  • MandrakeSoft Mandrake Linux 8.0 PPC
  • MandrakeSoft Mandrake Linux 8.0
  • MandrakeSoft Mandrake Linux 8.1 IA64
  • MandrakeSoft Mandrake Linux 8.1
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux 8.2 PPC
  • MandrakeSoft Mandrake Linux 9.0
  • MandrakeSoft Mandrake Single Network Firewall 7.2
  • ModSSL Mod SSL 2.4.10
  • ModSSL Mod SSL 2.8.9
  • OpenPKG OpenPKG 1.0
  • OpenPKG OpenPKG 1.1
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.1 for iSeries
  • RedHat Linux 7.1 for pSeries
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • RedHat Linux 8.0
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • RedHat Stronghold


Oct 22, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page