Mandrake Linux Security Advisory : mod_ssl (MDKSA-2002:072)
High Nessus Plugin ID 13972
SynopsisThe remote Mandrake Linux host is missing a security update.
DescriptionA cross-site scripting vulnerability was discovered in mod_ssl by Joe Orton. This only affects servers using a combination of wildcard DNS and 'UseCanonicalName off' (which is not the default in Mandrake Linux). With this setting turned off, Apache will attempt to use the hostname:port that the client supplies, which is where the problem comes into play. With this setting turned on (the default), Apache constructs a self-referencing URL and will use ServerName and Port to form the canonical name.
It is recommended that all users upgrade, regardless of the setting of the 'UseCanonicalName' configuration option.
SolutionUpdate the affected mod_ssl package.