FreeBSD : mod_pubcookie -- XSS vulnerability (91afa94c-c452-11da-8bff-000ae42e9b93)
High Nessus Plugin ID 21474
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionNathan Dors of the Pubcookie Project reports :
Non-persistent XSS vulnerabilities were found in the Pubcookie Apache module (mod_pubcookie) and ISAPI filter. These components mishandle untrusted data when printing responses to the browser. This makes them vulnerable to carefully crafted requests containing script or HTML. If an attacker can lure an unsuspecting user to visit carefully staged content, the attacker can use it to redirect the user to a vulnerable Pubcookie application server and attempt to exploit the XSS vulnerabilities.
These vulnerabilities are classified as *high* due to the nature and purpose of Pubcookie application servers for user authentication and Web Single Sign-on (SSO). An attacker who injects malicious script through the vulnerabilities might steal private Pubcookie data including a user's authentication assertion ('granting') cookies and application session cookies.
SolutionUpdate the affected package.