Mirrored documentation

This page is a faithful mirror of the original Apache mod_pagespeed documentation (Apache License 2.0). The upstream project was retired and the modpagespeed.com domain is now operated by an unrelated commercial vendor; we host the original reference so users of nginx-module-pagespeed from GetPageSpeed can rely on a stable copy.

mod_pagespeed and ngx_pagespeed Security Advisory: Cross-Site Scripting

CVE Identifier: CVE-2013-6111

Disclosed: October 28th, 2013

Versions Affected: - mod_pagespeed versions earlier than 1.0 - mod_pagespeed version 1.0.22.7 (fixed in 1.0.22.8) - mod_pagespeed versions 1.1 - mod_pagespeed 1.2.24.1 (fixed in 1.2.24.2) - mod_pagespeed 1.3.25.1 through 1.3.25.4 (fixed in 1.3.25.5) - mod_pagespeed 1.4.26.1 through 1.4.26.4 (fixed in 1.4.26.5) - mod_pagespeed and ngx_pagespeed 1.5.27.1 through 1.5.27.3 (fixed in 1.5.27.4) - mod_pagespeed and ngx_pagespeed 1.6.29.1 through 1.6.29.6 (fixed in 1.6.29.7)

Summary: Some versions of mod_pagespeed and ngx_pagespeed are vulnerable to cross-site scripting (XSS), which can permit a hostile 3rd party to inject javascript running in the context of the site.

Solution: For mod_pagespeed, update to one of versions 1.0.22.8-stable, 1.2.24.2-stable, 1.3.25.5-stable, 1.4.26.5-stable, 1.5.27.4-beta, or 1.6.29.7 or newer.

For ngx_pagespeed, update to 1.6.29.7 or newer.

Workaround: No workaround is available for mod_pagespeed.

For ngx_pagespeed, you can completely prohibit access to /ngx_pagespeed_statistics, /ngx_pagespeed_global_statistics and /ngx_pagespeed_message (an IP whitelist is insufficient), via options similar to:

location /ngx_pagespeed_global_statistics { deny all; }
location /ngx_pagespeed_statistics { deny all; }
location /ngx_pagespeed_message { deny all; }