CVE-2009-0796: XSS
First published: Wed Apr 01 2009(Updated: )
A flaw was found in the httpd mod_perl Apache::Status module. If a site has the non default setting of making /perl-status page accessible, remote attackers could use that flaw to trick users or steal sensitive browser data. The original public announcement can be found here: <a href="http://marc.info/?l=apache-modperl&m=123862312808765&w=2">http://marc.info/?l=apache-modperl&m=123862312808765&w=2</a> The CVE id mentioned in the above mail is wrong, <a href="https://access.redhat.com/security/cve/CVE-2009-0796">CVE-2009-0796</a> is the proper CVE id.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache mod_perl | =1 | |
| Apache mod_perl | =2 | |
| Apache Http Server |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://launchpad.net/bugs/cve/2009-0796
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021508.1-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021709.1-1
- http://www.securitytracker.com/id?1021988
- http://www.securityfocus.com/archive/1/502709/100/0/threaded
- http://www.securityfocus.com/bid/34383
- http://secunia.com/advisories/34597
- http://www.vupen.com/english/advisories/2009/0943
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:091
- https://bugzilla.redhat.com/show_bug.cgi?id=494402
- http://www.gossamer-threads.com/lists/modperl/modperl-cvs/99477#99477
- http://www.gossamer-threads.com/lists/modperl/modperl/99475#99475
- http://support.apple.com/kb/HT4435
- http://svn.apache.org/viewvc/perl/modperl/branches/1.x/lib/Apache/Status.pm?r1=177851&r2=761081&pathrev=761081&diff_format=h
- http://svn.apache.org/viewvc?view=rev&revision=761081
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8488
- http://svn.apache.org/viewvc/perl/modperl/branches/1.x/lib/Apache/Status.pm?r1=177851&r2=761081&pathrev=761081&diff_format=h
- http://svn.apache.org/viewvc?view=rev&revision=761081
- http://marc.info/?l=apache-modperl&m=123862312808765&w=2
- https://access.redhat.com/security/cve/CVE-2009-0796
- http://svn.apache.org/viewvc/perl/modperl/branches/1.x/lib/Apache/Status.pm?view=log&pathrev=761081
- http://www.redhat.com/security/updates/classification/
- http://svn.apache.org/viewvc/perl/modperl/trunk/lib/Apache2/Status.pm?r1=607697
- https://www.cve.org/CVERecord?id=CVE-2009-0796 https://nvd.nist.gov/vuln/detail/CVE-2009-0796
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0796.json
Frequently Asked Questions
What is the severity of CVE-2009-0796?
CVE-2009-0796 is classified as a moderate severity vulnerability impacting the Apache mod_perl module.
How do I fix CVE-2009-0796?
To fix CVE-2009-0796, remove or restrict access to the /perl-status page in your configuration.
Which versions are affected by CVE-2009-0796?
CVE-2009-0796 affects Apache mod_perl versions 1 and 2.
What type of attack is possible with CVE-2009-0796?
CVE-2009-0796 allows remote attackers to trick users or steal sensitive browser data.
Is there a patch available for CVE-2009-0796?
There is no specific patch for CVE-2009-0796, but mitigating the exposure of the vulnerable feature is recommended.
- collector/nvd-historical
- collector/launchpad-cve
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-0796
- collector/redhat-cve
- agent/severity
- agent/references
- agent/author
- agent/remedy
- agent/event
- agent/description
- agent/weakness
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache mod_perl
- version/apache mod_perl/1
- version/apache mod_perl/2
- canonical/apache http server