mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting

CVE Identifier:

CVE-2013-6111

Disclosed:

October 28th, 2013

Versions Affected:
  • mod_pagespeed versions earlier than 1.0
  • mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8)
  • mod_pagespeed versions 1.1
  • mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2)
  • mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5)
  • mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5)
  • mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4)
  • mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)
Summary:

Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to cross-site scripting (XSS), which can permit a hostile 3rd party to inject javascript running in the context of the site.

Solution:

For mod_pagespeed, update to one of versions 1.0.22.8-stable, 1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or 1.6.29.7 or newer.

For ngx_pagespeed, update to 1.6.29.7 or newer.

Workaround:

No workaround is available for mod_pagespeed.

For ngx_pagespeed, you can completely prohibit access to /ngx_pagespeed_statistics, /ngx_pagespeed_global_statistics and /ngx_pagespeed_message (an IP whitelist is insufficient), via options similar to:

location /ngx_pagespeed_global_statistics { deny all; }
location /ngx_pagespeed_statistics { deny all; }
location /ngx_pagespeed_message { deny all; }