[Japanese]

JVNDB-2005-000727

mod_imap cross-site scripting vulnerability

Overview

The "mod_imap" and "mod_imagemap" modules of the Apache HTTP Server are used for implementing server-side image map processing.
mod_imap and mod_imagemap are affected by a cross-site scripting vulnerability when referer values are used in an image map in such a way that they do not handle HTTP_REFERER properly.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Apache Software Foundation
  • Apache HTTP Server 1.3.34 and ealier
  • Apache HTTP Server 2.0.55 and ealier
  • Apache HTTP Server 2.2.0
IBM Corporation
  • IBM HTTP Server 1.3.26.x
  • IBM HTTP Server 1.3.28.x
  • IBM HTTP Server 2.0.42.x
  • IBM HTTP Server 2.0.47.x
  • IBM HTTP Server 6.0.x
Apple Inc.
  • Apple Mac OS X v10.4.11
  • Apple Mac OS X Server v10.4.11
  • Apple Mac OS X Server v10.5.2
Oracle Corporation
  • Oracle HTTP Server 10.1.3.5.0
Sun Microsystems, Inc.
  • Sun Solaris 10 (SPARC)
  • Sun Solaris 10 (x86)
  • Sun Solaris 8 (SPARC)
  • Sun Solaris 8 (x86)
  • Sun Solaris 9 (SPARC)
  • Sun Solaris 9 (x86)
Turbolinux, Inc.
  • Turbolinux 10 Desktop
  • Turbolinux 10 F...
  • Turbolinux 10 Server
  • Turbolinux 10 Server x64 Edition
  • Turbolinux FUJI
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Home
Hewlett-Packard Development Company, L.P
  • HP-UX 11.00
  • HP-UX 11.04
  • HP-UX 11.11
  • HP-UX 11.23
MIRACLE LINUX CORPORATION
  • MIRACLE LINUX V3.0
  • MIRACLE LINUX V3.0 for x86-64
  • MIRACLE LINUX V4.0
  • MIRACLE LINUX V4.0 for x86-64
Red Hat, Inc.
  • Red Hat Enterprise Linux AS (v.2.1)
  • Red Hat Enterprise Linux AS (v.3)
  • Red Hat Enterprise Linux AS (v.4)
  • Red Hat Enterprise Linux ES (v.2.1)
  • Red Hat Enterprise Linux ES (v.3)
  • Red Hat Enterprise Linux ES (v.4)
  • Red Hat Enterprise Linux WS (v.2.1)
  • Red Hat Enterprise Linux WS (v.3)
  • Red Hat Enterprise Linux WS (v.4)
  • Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

Impact

A remote attacker could execute a malicious script on the web browser of a user who accessed a web page where mod_imap or mod_imagemap is used.
Solution

Vendor Information

Apache Software Foundation
  • Apache httpd 1.3 vulnerabilities : 1.3.35
  • Apache httpd 2.0 vulnerabilities : 2.0.58
  • Apache httpd 2.2 vulnerabilities : 2.2.2
  • Changes with Apache : 1.3.35
  • Changes with Apache : 2.0.58
  • Changes with Apache : 2.2.2
IBM Corporation Apple Inc. Oracle Corporation Sun Microsystems, Inc.
  • Sun Alert Notification : 102662
  • Sun Alert Notification : 102663
Turbolinux, Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2005-3352
References

  1. JVN : JVN#06045169
  2. National Vulnerability Database (NVD) : CVE-2005-3352
  3. US-CERT Cyber Security Alerts : SA08-079A
  4. US-CERT Cyber Security Alerts : SA08-150A
  5. US-CERT Technical Cyber Security Alert : TA08-079A
  6. US-CERT Technical Cyber Security Alert : TA08-150A
  7. SecurityFocus : 15834
Revision History

[2008/05/21]
  Web page published
[2008/06/06]
  Affected Products : Added Apple Inc (Security Update 2008-002).
  Vendor Information : Added Apple Inc (Security Update 2008-002).
[2008/06/17]
  Vendor Information : Added Apple Inc (Security Update 2008-003).
[2013/07/18]
  Affected Products : Product of Oracle was added.
  Vendor Information : Contents of Oracle were added.