html/doc/CVE-2013-6111.html - incubator-pagespeed-mod - Git at Google

 <html>
   <head>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting</title>
     <link rel="stylesheet" href="doc.css">
   </head>
   <body>
 <!--#include virtual="_header.html" -->


   <div id=content>
 <h1>mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting</h1>
 <dl>
   <dt>CVE Identifier:</dt>
     <dd><p>CVE-2013-6111</p></dd>
   <dt>Disclosed:</dt>
     <dd><p>October 28th, 2013</p></dd>
   <dt>Versions Affected:</dt>
     <dd>
       <ul>
         <li>mod_pagespeed versions earlier than 1.0</li>
         <li>mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8)</li>
         <li>mod_pagespeed versions 1.1</li>
         <li>mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2)</li>
         <li>mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5)</li>
         <li>mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5)</li>
         <li>mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4)</li>
         <li>mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)</li>
       </ul>
     </dd>
   <dt>Summary:</dt>
     <dd><p>Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to
     cross-site scripting (XSS), which can permit a hostile 3rd party to
     inject javascript running in the context of the site.</p></dd>
   <dt>Solution:</dt>
     <dd><p>For mod_pagespeed, update to one of versions 1.0.22.8-stable,
     1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or
     1.6.29.7 or newer.</p>

     <p>For ngx_pagespeed, update to 1.6.29.7 or newer.</p>
     </dd>
   <dt>Workaround:</dt>
     <dd>
     <p>No workaround is available for mod_pagespeed.</p>

     <p>For ngx_pagespeed, you can completely prohibit access to
     <code>/ngx_pagespeed_statistics</code>,
     <code>/ngx_pagespeed_global_statistics</code> and
     <code>/ngx_pagespeed_message</code> (an IP whitelist is insufficient), via
     options similar to:
 <pre>
 location /ngx_pagespeed_global_statistics { deny all; }
 location /ngx_pagespeed_statistics { deny all; }
 location /ngx_pagespeed_message { deny all; }
 </pre>
     </p>
     </dd>
   </div>
   <!--#include virtual="_footer.html" -->
   </body>
 </html>
	<html>
	<head>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting</title>
	<link rel="stylesheet" href="doc.css">
	</head>
	<body>
	<!--#include virtual="_header.html" -->


	<div id=content>
	<h1>mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting</h1>
	<dl>
	<dt>CVE Identifier:</dt>
	<dd><p>CVE-2013-6111</p></dd>
	<dt>Disclosed:</dt>
	<dd><p>October 28th, 2013</p></dd>
	<dt>Versions Affected:</dt>
	<dd>
	<ul>
	<li>mod_pagespeed versions earlier than 1.0</li>
	<li>mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8)</li>
	<li>mod_pagespeed versions 1.1</li>
	<li>mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2)</li>
	<li>mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5)</li>
	<li>mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5)</li>
	<li>mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4)</li>
	<li>mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)</li>
	</ul>
	</dd>
	<dt>Summary:</dt>
	<dd><p>Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to
	cross-site scripting (XSS), which can permit a hostile 3rd party to
	inject javascript running in the context of the site.</p></dd>
	<dt>Solution:</dt>
	<dd><p>For mod_pagespeed, update to one of versions 1.0.22.8-stable,
	1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or
	1.6.29.7 or newer.</p>

	<p>For ngx_pagespeed, update to 1.6.29.7 or newer.</p>
	</dd>
	<dt>Workaround:</dt>
	<dd>
	<p>No workaround is available for mod_pagespeed.</p>

	<p>For ngx_pagespeed, you can completely prohibit access to
	<code>/ngx_pagespeed_statistics</code>,
	<code>/ngx_pagespeed_global_statistics</code> and
	<code>/ngx_pagespeed_message</code> (an IP whitelist is insufficient), via
	options similar to:
	<pre>
	location /ngx_pagespeed_global_statistics { deny all; }
	location /ngx_pagespeed_statistics { deny all; }
	location /ngx_pagespeed_message { deny all; }
	</pre>
	</p>
	</dd>
	</div>
	<!--#include virtual="_footer.html" -->
	</body>
	</html>