Cross script vulnerability (XSS) in httpd

Savvas Karagiannidis karagian at
Wed Jan 29 05:38:43 EST 2020

not sure if this is an actual issue, so I'm posting it here first, in case
someone knows better.
We recently ran a vulnerability assessment using nessus against our server
running cyrus and it detected the following medium risk XSS issue (the
actual report is at the bottom of the email)

9080 is the custom port https is configured to listen on.

>From what I understand it seems that someone could craft a special request
and enter script code via the headers sent, code that appears in the
response and could actually be executed in case a browser is used.

The report had multiple example requests, but technically they were all the
same, so I'm just attaching the first example request that confirms the

Savvas Karagiannidis

Here's the related part of the report:

The remote web server is affected by a cross-site scripting vulnerability.
The remote host is running a web server that fails to adequately sanitize
request strings of malicious JavaScript. A remote attacker can exploit this
issue, via a specially crafted request, to execute arbitrary HTML and
script code in a user's browser within the security context of the affected
See Also
Contact the vendor for a patch or upgrade.
Risk Factor
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#E:H/RL:OF/RC:C)

BID 5011 <>
BID 5305 <>
BID 7344 <>
BID 7353 <>
BID 8037 <>
BID 14473 <>
BID 17408 <>
BID 54344 <>
CVE CVE-2002-1060
CVE CVE-2002-1700
CVE CVE-2003-1543
CVE CVE-2005-2453
CVE CVE-2006-1681
CVE CVE-2012-3382
XREF CWE:79 <>
Plugin Information
Published: 2001/11/30, Modified: 2018/07/06
Plugin Output
------------------------------ Request #1 ------------------------------

The full request used to detect this flaw was :

GET /cgi-bin/llknxx7s.html HTTP/1.1
Host: <script>alert(Host)</script>:9080
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

The output was :

HTTP/1.1 404 Not Found
Date: Thu, 23 Jan 2020 18:13:22 GMT
Connection: close, Upgrade
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 437

[...] Jansson/2.9 Server at <script>alert(Host)</script> Port
9080</address></ [...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Info-cyrus mailing list