FreeBSD : mod_pubcookie -- XSS vulnerability (91afa94c-c452-11da-8bff-000ae42e9b93)

High Nessus Plugin ID 21474


The remote FreeBSD host is missing a security-related update.


Nathan Dors of the Pubcookie Project reports :

Non-persistent XSS vulnerabilities were found in the Pubcookie Apache module (mod_pubcookie) and ISAPI filter. These components mishandle untrusted data when printing responses to the browser. This makes them vulnerable to carefully crafted requests containing script or HTML. If an attacker can lure an unsuspecting user to visit carefully staged content, the attacker can use it to redirect the user to a vulnerable Pubcookie application server and attempt to exploit the XSS vulnerabilities.

These vulnerabilities are classified as *high* due to the nature and purpose of Pubcookie application servers for user authentication and Web Single Sign-on (SSO). An attacker who injects malicious script through the vulnerabilities might steal private Pubcookie data including a user's authentication assertion ('granting') cookies and application session cookies.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 21474

File Name: freebsd_pkg_91afa94cc45211da8bff000ae42e9b93.nasl

Version: $Revision: 1.10 $

Type: local

Published: 2006/05/13

Modified: 2014/08/14

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:mod_pubcookie, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2006/04/05

Vulnerability Publication Date: 2006/03/06

Reference Information

CERT: 314540