"Fossies" - the Fresh Open Source Software Archive

Member "incubator-pagespeed-mod-1.14.36.1/html/doc/CVE-2013-6111.html" (28 Feb 2020, 3029 Bytes) of package /linux/www/apache_httpd_modules/incubator-pagespeed-mod-1.14.36.1.tar.gz:


Caution: In this restricted "Fossies" environment the current HTML page may not be correctly presentated and may have some non-functional links. You can here alternatively try to browse the pure source code or just view or download the uninterpreted raw source code. If the rendering is insufficient you may try to find and view the page on the incubator-pagespeed-mod-1.14.36.1.tar.gz project site itself.

mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting

CVE Identifier:

CVE-2013-6111

Disclosed:

October 28th, 2013

Versions Affected:
  • mod_pagespeed versions earlier than 1.0
  • mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8)
  • mod_pagespeed versions 1.1
  • mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2)
  • mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5)
  • mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5)
  • mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4)
  • mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)
Summary:

Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to cross-site scripting (XSS), which can permit a hostile 3rd party to inject javascript running in the context of the site.

Solution:

For mod_pagespeed, update to one of versions 1.0.22.8-stable, 1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or 1.6.29.7 or newer.

For ngx_pagespeed, update to 1.6.29.7 or newer.

Workaround:

No workaround is available for mod_pagespeed.

For ngx_pagespeed, you can completely prohibit access to /ngx_pagespeed_statistics, /ngx_pagespeed_global_statistics and /ngx_pagespeed_message (an IP whitelist is insufficient), via options similar to:

location /ngx_pagespeed_global_statistics { deny all; }
location /ngx_pagespeed_statistics { deny all; }
location /ngx_pagespeed_message { deny all; }