Apache HTTP Server XSS Vulnerability

March 8, 2013

The Apache HTTP Server, commonly referred to as Apache, is a web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The application is available for a wide variety of operating systems, including Unix, FreeBSD, Linux, Solaris, Novell NetWare, OS X, Microsoft Windows, OS/2, TPF, and eComStation. Released under the Apache License, Apache is open-source software.

Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. Another example of the official plug-in modules is the mod_proxy_balancer module. As all other modules, it can be compiled as a separate shared library with a ".so" extension. The purpose of this module is to let Apache HTTP server run as a load balancing proxy server.

Mod_proxy_balancer when combined with mod_status provides a web interface called balancer-manager that enables dynamic updating of balancer members. You can use balancer-manager to change the balance factor for a particular member, or put it in off line mode.

A URL has the following generic format:


A cross-site scripting vulnerability exists in the way mod_proxy_balancer module of Apache HTTP server handles the URL string for the balancer-manager web interface. The flaw is due to insufficient sanitation of the URL. A remote attacker can exploit this vulnerability by enticing a user to view a specially crafted webpage or link. Successful exploitation could result in the malicious script code executing in the client's browser, within the security context of the Web-site.

The vendor, Apache, has released an advisory addressing this vulnerability on 2/25/2013. Dell SonicWALL UTM team has researched this vulnerability and covered it with a generic XSS detection signature:

  • 6753 Cross-Site Scripting (XSS) Attack 8

This vulnerability was assigned by CVE as CVE-2012-4558.