[Japanese]

JVNDB-2007-001022

Apache UTF-7 Encoding Cross-Site Scripting Vulnerability

Overview

The mod_autoindex.c module in Apache HTTP Server is vulnerable to a cross-site scripting attack. When the charset on a server-generated page is undefined, the vulnerability allows attackers to inject arbitrary scripts or HTML via the P parameter using the UTF-7 charset.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Apache Software Foundation
  • Apache HTTP Server 2.0.60 and earlier
  • Apache HTTP Server 2.2.5 and earlier
Apple Inc.
  • Apple Mac OS X Server v10.4.11
Turbolinux, Inc.
  • Turbolinux 10 Server
  • Turbolinux 10 Server x64 Edition
  • Turbolinux 11 Server
  • Turbolinux 11 Server x64 Edition
  • Turbolinux Appliance Server 1.0 Hosting Edition
  • Turbolinux Appliance Server 1.0 Workgroup Edition
  • Turbolinux Appliance Server 2.0
  • Turbolinux FUJI
  • Turbolinux Multimedia
  • Turbolinux Personal
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
MIRACLE LINUX CORPORATION
  • Asianux Server 3 for x86
  • Asianux Server 3 for x86-64
  • MIRACLE LINUX V2.0
  • MIRACLE LINUX V2.1
  • MIRACLE LINUX V3.0
  • MIRACLE LINUX V3.0 for x86-64
  • MIRACLE LINUX V4.0
  • MIRACLE LINUX V4.0 for x86-64
Red Hat, Inc.
  • Red Hat Desktop (v.3)
  • Red Hat Desktop (v.4)
  • Red Hat Enterprise Linux (v.5 server)
  • Red Hat Enterprise Linux AS (v.2.1)
  • Red Hat Enterprise Linux AS (v.3)
  • Red Hat Enterprise Linux AS (v.4)
  • Red Hat Enterprise Linux Desktop (v.5 client)
  • Red Hat Enterprise Linux ES (v.2.1)
  • Red Hat Enterprise Linux ES (v.3)
  • Red Hat Enterprise Linux ES (v.4)
  • Red Hat Enterprise Linux WS (v.2.1)
  • Red Hat Enterprise Linux WS (v.3)
  • Red Hat Enterprise Linux WS (v.4)
  • Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
  • RHEL Desktop Workstation (v.5 client)
Hitachi, Ltd
  • Hitachi Web Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Service Platform
FUJITSU
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Apworks
  • Interstage Business Application Server
  • Interstage Job Workload Server
  • Interstage Studio
  • Interstage Web Server
  • Systemwalker Resource Coordinator

Impact

An attacker could execute arbitrary scripts on the user's web browser.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Apache Software Foundation Apple Inc. Turbolinux, Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION
  • Asianux Technical Support Network : httpd-2.2.3-11.3.1AX
  • MIRACLE LINUX Update Information : 1205 (Japanese)
  • MIRACLE LINUX Update Information : 1224 (Japanese)
  • MIRACLE LINUX Update Information : 1221 (Japanese)
Red Hat, Inc. Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-041
FUJITSU
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-4465
References

  1. National Vulnerability Database (NVD) : CVE-2007-4465
  2. US-CERT Cyber Security Alerts : SA08-150A
  3. US-CERT Technical Cyber Security Alert : TA08-150A
  4. SecurityFocus : 25653
  5. ISS X-Force Database : 36586
  6. SecurityTracker : 1019194
Revision History

[2008/05/21]
  Web page published
[2008/06/17]
  Affected Products : Added Apple Inc(Security Update 2008-003).
  Vendor Information : Added Apple Inc(Security Update 2008-003).
[2009/08/05]
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
  Affected Products : Added FUJITSU (interstage-200807e).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
  Vendor Information : Added FUJITSU (interstage-200807e).
[2009/11/16]
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02465).