| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting</h1> |
| <dl> |
| <dt>CVE Identifier:</dt> |
| <dd><p>CVE-2013-6111</p></dd> |
| <dt>Disclosed:</dt> |
| <dd><p>October 28th, 2013</p></dd> |
| <dt>Versions Affected:</dt> |
| <dd> |
| <ul> |
| <li>mod_pagespeed versions earlier than 1.0</li> |
| <li>mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8)</li> |
| <li>mod_pagespeed versions 1.1</li> |
| <li>mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2)</li> |
| <li>mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5)</li> |
| <li>mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5)</li> |
| <li>mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4)</li> |
| <li>mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)</li> |
| </ul> |
| </dd> |
| <dt>Summary:</dt> |
| <dd><p>Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to |
| cross-site scripting (XSS), which can permit a hostile 3rd party to |
| inject javascript running in the context of the site.</p></dd> |
| <dt>Solution:</dt> |
| <dd><p>For mod_pagespeed, update to one of versions 1.0.22.8-stable, |
| 1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or |
| 1.6.29.7 or newer.</p> |
| |
| <p>For ngx_pagespeed, update to 1.6.29.7 or newer.</p> |
| </dd> |
| <dt>Workaround:</dt> |
| <dd> |
| <p>No workaround is available for mod_pagespeed.</p> |
| |
| <p>For ngx_pagespeed, you can completely prohibit access to |
| <code>/ngx_pagespeed_statistics</code>, |
| <code>/ngx_pagespeed_global_statistics</code> and |
| <code>/ngx_pagespeed_message</code> (an IP whitelist is insufficient), via |
| options similar to: |
| <pre> |
| location /ngx_pagespeed_global_statistics { deny all; } |
| location /ngx_pagespeed_statistics { deny all; } |
| location /ngx_pagespeed_message { deny all; } |
| </pre> |
| </p> |
| </dd> |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |