mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting
- CVE Identifier:
CVE-2013-6111
- Disclosed:
October 28th, 2013
- Versions Affected:
-
- mod_pagespeed versions earlier than 1.0
- mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8)
- mod_pagespeed versions 1.1
- mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2)
- mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5)
- mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5)
- mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4)
- mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)
- Summary:
Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to cross-site scripting (XSS), which can permit a hostile 3rd party to inject javascript running in the context of the site.
- Solution:
For mod_pagespeed, update to one of versions 1.0.22.8-stable, 1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or 1.6.29.7 or newer.
For ngx_pagespeed, update to 1.6.29.7 or newer.
- Workaround:
-
No workaround is available for mod_pagespeed.
For ngx_pagespeed, you can completely prohibit access to
/ngx_pagespeed_statistics,/ngx_pagespeed_global_statisticsand/ngx_pagespeed_message(an IP whitelist is insufficient), via options similar to:location /ngx_pagespeed_global_statistics { deny all; } location /ngx_pagespeed_statistics { deny all; } location /ngx_pagespeed_message { deny all; }