mod_pagespeed Security Advisory: Insufficient Hostname Verification

CVE Identifier:

CVE-2012-4001

Disclosed:

September 12, 2012

Versions Affected:

All versions of mod_pagespeed up to and including 0.10.22.4.

Summary:

mod_pagespeed performs insufficient verification of its own host name, which makes it possible to trick it into doing HTTP fetches and resource processing from arbitrary host names, including potentially bypassing firewalls.

Solution:

mod_pagespeed 0.10.22.6 has been released with a fix.

Workaround:

If you are unable to upgrade to the new version, you can avoid this issue by changing your Apache httpd configuration. Give any virtual host that enables mod_pagespeed (and the global configuration, if it also enables mod_pagespeed) an accurate explicit ServerName, and set the options UseCanonicalName and UseCanonicalPhysicalPort to On in each. Please be aware, however, that depending on the version, CVE-2012-4360 may also apply.