| Description: | Summary:
The remote host is missing an update for the 'httpd'
package(s) announced via the referenced advisory.
Vulnerability Insight:
The Apache HTTP Server is a popular web server.
Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer
module's manager web interface. If a remote attacker could trick a user,
who was logged into the manager web interface, into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's manager interface session. (CVE-2012-4558)
It was found that mod_rewrite did not filter terminal escape sequences from
its log file. If mod_rewrite was configured with the RewriteLog directive,
a remote attacker could use specially-crafted HTTP requests to inject
terminal escape sequences into the mod_rewrite log file. If a victim viewed
the log file with a terminal emulator, it could result in arbitrary command
execution with the privileges of that user. (CVE-2013-1862)
Cross-site scripting (XSS) flaws were found in the mod_info, mod_status,
mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could
possibly use these flaws to perform XSS attacks if they were able to make
the victim's browser generate an HTTP request with a specially-crafted Host
header. (CVE-2012-3499)
All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon will be restarted automatically.
Affected Software/OS:
httpd on CentOS 6
Solution:
Please install the updated packages.
CVSS Score:
5.1
CVSS Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P
|
