Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Sun Alert 274110 Security Vulnerability in the Apache 1.3 "mod_perl" Module Component "Status.pm" May Lead to Unauthorized Access to Data
Informations
Name SUN-274110 First vendor Publication 2009-12-16
Vendor Sun Last vendor Modification 2010-03-08
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Cvss Base Score 2.6 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 8, Solaris 9, Solaris 10, OpenSolaris

A cross-site scripting (XSS) vulnerability in the Apache 1.3 HTTPserver "mod_perl" module's perl-status utility may allow anunprivileged remote user to inject arbitrary web script or HTML whileaccessing a crafted URL to perl-status utility. This can result invarious impacts including the theft of sensitive information such ascookie information, access to user credentials or the hijacking ofsessions.

Additional information regarding this issue is available at:


State: Workaround
First released: 15-Dec-2009

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_274110_security_vulnerability

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8488
 
Oval ID: oval:org.mitre.oval:def:8488
Title: Security Vulnerabilities in the Apache 2 "mod_perl2" Module Components "Status.pm" May Lead to Denial of Service (DoS) or Unauthorized Access to Data
Description: Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI.
Family: unix Class: vulnerability
Reference(s): CVE-2009-0796
Version: 2
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

OpenVAS Exploits

Date Description
2011-09-07 Name : Mac OS X v10.6.4 Multiple Vulnerabilities (2010-007)
File : nvt/gb_macosx_su10-007.nasl
2010-02-03 Name : Solaris Update for Apache 1.3 122911-19
File : nvt/gb_solaris_122911_19.nasl
2010-02-03 Name : Solaris Update for Apache 1.3 122912-19
File : nvt/gb_solaris_122912_19.nasl
2009-12-14 Name : Mandriva Security Advisory MDVSA-2009:091-1 (mod_perl)
File : nvt/mdksa_2009_091_1.nasl
2009-05-20 Name : FreeBSD Ports: mod_perl
File : nvt/freebsd_mod_perl0.nasl
2009-04-20 Name : Ubuntu USN-757-1 (gs-gpl)
File : nvt/ubuntu_757_1.nasl
2009-04-15 Name : Mandrake Security Advisory MDVSA-2009:091 (mod_perl)
File : nvt/mdksa_2009_091.nasl
2009-04-13 Name : Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross Site Scripting V...
File : nvt/modperl_cve_2009_0796.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53289 Apache mod_perl Apache::Status /perl-status Unspecified XSS

Nessus® Vulnerability Scanner

Date Description
2010-11-10 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_6_5.nasl - Type : ACT_GATHER_INFO
2010-11-10 Name : The remote host is missing a Mac OS X update that fixes security issues.
File : macosx_SecUpd2010-007.nasl - Type : ACT_GATHER_INFO
2009-05-18 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_4a63889541b711deb1cc00219b0fc4d8.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-091.nasl - Type : ACT_GATHER_INFO
2009-04-07 Name : The remote web server uses a module that is affected by a cross-site scriptin...
File : mod_perl_status_uri_xss.nasl - Type : ACT_GATHER_INFO
2006-07-18 Name : The remote host is missing Sun Security Patch number 122911-37
File : solaris10_122911.nasl - Type : ACT_GATHER_INFO
2006-07-18 Name : The remote host is missing Sun Security Patch number 122912-37
File : solaris10_x86_122912.nasl - Type : ACT_GATHER_INFO