JVNDB-2007-001022

Apache UTF-7 Encoding Cross-Site Scripting Vulnerability

The mod_autoindex.c module in Apache HTTP Server is vulnerable to a cross-site scripting attack. When the charset on a server-generated page is undefined, the vulnerability allows attackers to inject arbitrary scripts or HTML via the P parameter using the UTF-7 charset.

Base Metrics: 4.3 (Medium) [IPA Score]

• Access Vector: Network
• Access Complexity: Medium
• Authentication: None
• Confidentiality Impact: None
• Integrity Impact: Partial
• Availability Impact: None

Apache Software Foundation

• Apache HTTP Server 2.0.60 and earlier
• Apache HTTP Server 2.2.5 and earlier

Apple Inc.

• Apple Mac OS X Server v10.4.11

Turbolinux, Inc.

• Turbolinux 10 Server
• Turbolinux 10 Server x64 Edition
• Turbolinux 11 Server
• Turbolinux 11 Server x64 Edition
• Turbolinux Appliance Server 1.0 Hosting Edition
• Turbolinux Appliance Server 1.0 Workgroup Edition
• Turbolinux Appliance Server 2.0
• Turbolinux FUJI
• Turbolinux Multimedia
• Turbolinux Personal

Hewlett-Packard Development Company, L.P

• HP-UX 11.11
• HP-UX 11.23
• HP-UX 11.31

MIRACLE LINUX CORPORATION

• Asianux Server 3 for x86
• Asianux Server 3 for x86-64
• MIRACLE LINUX V2.0
• MIRACLE LINUX V2.1
• MIRACLE LINUX V3.0
• MIRACLE LINUX V3.0 for x86-64
• MIRACLE LINUX V4.0
• MIRACLE LINUX V4.0 for x86-64

Red Hat, Inc.

• Red Hat Desktop (v.3)
• Red Hat Desktop (v.4)
• Red Hat Enterprise Linux (v.5 server)
• Red Hat Enterprise Linux AS (v.2.1)
• Red Hat Enterprise Linux AS (v.3)
• Red Hat Enterprise Linux AS (v.4)
• Red Hat Enterprise Linux Desktop (v.5 client)
• Red Hat Enterprise Linux ES (v.2.1)
• Red Hat Enterprise Linux ES (v.3)
• Red Hat Enterprise Linux ES (v.4)
• Red Hat Enterprise Linux WS (v.2.1)
• Red Hat Enterprise Linux WS (v.3)
• Red Hat Enterprise Linux WS (v.4)
• Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
• RHEL Desktop Workstation (v.5 client)

Hitachi, Ltd

• Hitachi Web Server
• uCosminexus Application Server Enterprise
• uCosminexus Application Server Standard
• uCosminexus Service Platform

FUJITSU

• Interstage Application Framework Suite
• Interstage Application Server
• Interstage Apworks
• Interstage Business Application Server
• Interstage Job Workload Server
• Interstage Studio
• Interstage Web Server
• Systemwalker Resource Coordinator

An attacker could execute arbitrary scripts on the user's web browser.

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.

Apache Software Foundation

• Changes with Apache : CHANGES_2.0.61
• Changes with Apache : CHANGES_2.2.6

Apple Inc.

• Apple security updates : Security Update 2008-003

Turbolinux, Inc.

• Turbolinux Security Advisory : TLSA-2008-5

Hewlett-Packard Development Company, L.P

• HP Security Bulletin : HPSBUX02365
• HP Security Bulletin : HPSBUX02431
• HP Security Bulletin : HPSBUX02465

MIRACLE LINUX CORPORATION

• Asianux Technical Support Network : httpd-2.2.3-11.3.1AX
• MIRACLE LINUX Update Information : 1205 (Japanese)
• MIRACLE LINUX Update Information : 1224 (Japanese)
• MIRACLE LINUX Update Information : 1221 (Japanese)

Red Hat, Inc.

• Red Hat Security Advisory : RHSA-2008:0004
• Red Hat Security Advisory : RHSA-2008:0005
• Red Hat Security Advisory : RHSA-2008:0006
• Red Hat Security Advisory : RHSA-2008:0008

Hitachi, Ltd

• Hitachi Software Vulnerability Information : HS07-041

FUJITSU

• Fujitsu Software Security Patches & Updates : interstage-200807e

1. US-CERT Cyber Security Alerts : SA08-150A
2. US-CERT Technical Cyber Security Alert : TA08-150A
3. National Vulnerability Database (NVD) : CVE-2007-4465
4. Common Vulnerabilities and Exposures (CVE) : CVE-2007-4465
5. SecurityFocus : 25653
6. ISS X-Force Database : 36586
7. SecurityTracker : 1019194
8. Common Weakness Enumeration (CWE) : Cross-site scripting (CWE-79) [NVD Evaluation]

[2008/05/21]
  Web page published
[2008/06/17]
  Affected Products : Added Apple Inc(Security Update 2008-003).
  Vendor Information : Added Apple Inc(Security Update 2008-003).
[2009/08/05]
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
  Affected Products : Added FUJITSU (interstage-200807e).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
  Vendor Information : Added FUJITSU (interstage-200807e).
[2009/11/16]
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02465).