Note: This is an archival copy of Security Sun Alert 274110 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021709.1.
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Security Vulnerability in the Apache 1.3 "mod_perl" Module Component "Status.pm" May Lead to Unauthorized Access to Data
A cross-site scripting (XSS) vulnerability in the Apache 1.3 HTTP server "mod_perl" module's perl-status utility may allow an unprivileged remote user to inject arbitrary web script or HTML while accessing a crafted URL to perl-status utility. This can result in various impacts including the theft of sensitive information such as cookie information, access to user credentials or the hijacking of sessions.
Additional information regarding this issue is available at:
CVE-2009-0796 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0796
2. Contributing Factors
This issue can occur in the following releases:
1. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be used:
$ uname -v2. A system is only vulnerable to the described issue if the Apache 1.3 web server has been configured and is running on the system.
The following command can be executed to determine if the Apache 1.3 web server is currently running on the system:
$ /usr/bin/ps -ef | grep httpd3. The vulnerability only affects systems which make use of the Apache 1.3 Server mod_perl(3) (Status.pm) component.
To determine if the "Status.pm" component is used, the following command can be run for all configuration files that define the running Apache 1.3 configurations:
$ grep Apache::Status /etc/apache/httpd.confNote: Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to patches developed on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage Patch Service. See Note in section 5 for more details.
There are no predictable symptoms that would indicate the issue has been exploited.
To work around the described issue, do not configure the mod_perl(3) component Status.pm in the Apache 1.3 "httpd.conf" file. This may be done by commenting the corresponding sections in the configuration file which contain "Apache::Status".
This issue is addressed in the following releases:
Note: The READMEs of Solaris 8 patches developed on or after 1 April 2009 are available to all customers however Solaris 8 entered EOSL Phase 2 on April 1, 2009 and thus entitlement for these patches, including those that fix security vulnerabilities, requires the purchase of the Solaris 8 Vintage Patch Service. More information about the Solaris 8 Vintage Patch Service is available at:
For more information on Security Sun Alerts, see 1009886.1.
25-Feb-2010: Updated for Patches Pending
08-Mar-2010: Updated Contributing Factors and Resolution sections for Solaris 9 patches
This solution has no attachment