Rapid7 Vulnerability & Exploit Database

Apache HTTPD: Error page XSS using wildcard DNS (CVE-2002-0840)

Back to Search

Apache HTTPD: Error page XSS using wildcard DNS (CVE-2002-0840)

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
10/11/2002
Created
07/25/2018
Added
04/12/2012
Modified
02/20/2020

Description

The affected asset is vulnerable to this vulnerability ONLY if UseCanonicalName is off and support for wildcard DNS is present. Review your web server configuration for validation. Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header.

Solution(s)

  • apache-httpd-upgrade-1_3_27
  • apache-httpd-upgrade-2_0_43

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;