mod_pagespeed Security Advisory: Insufficient Hostname Verification
- CVE Identifier:
- September 12, 2012
- Versions Affected:
- All versions of mod_pagespeed up to and including 0.10.22.4.
- mod_pagespeed performs insufficient verification of its own host name,
which makes it possible to trick it into doing HTTP fetches and resource
processing from arbitrary host names, including potentially bypassing
- mod_pagespeed 0.10.22.6 has been released with a fix.
- If you are unable to upgrade to the new version, you can avoid this
issue by changing your Apache httpd configuration. Give any virtual host
that enables mod_pagespeed (and the global configuration, if it also enables
mod_pagespeed) an accurate explicit
ServerName, and set the
On in each. Please be
aware, however, that depending on the version,
CVE-2012-4360 may also apply.