|
[Japanese]
|
JVNDB-2007-001022
|
Apache UTF-7 Encoding Cross-Site Scripting Vulnerability
|
|
The mod_autoindex.c module in Apache HTTP Server is vulnerable to a cross-site scripting attack. When the charset on a server-generated page is undefined, the vulnerability allows attackers to inject arbitrary scripts or HTML via the P parameter using the UTF-7 charset.
|
|
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
Apache Software Foundation
- Apache HTTP Server 2.0.60 and earlier
- Apache HTTP Server 2.2.5 and earlier
Apple Inc.
- Apple Mac OS X Server v10.4.11
Cybertrust Japan Co., Ltd.
- Asianux Server 3 (x86)
- Asianux Server 3 (x86-64)
- Asianux Server 2.0
- Asianux Server 2.1
- Asianux Server 3.0
- Asianux Server 3.0 (x86-64)
- Asianux Server 4.0
- Asianux Server 4.0 (x86-64)
Turbolinux, Inc.
- Turbolinux Appliance Server 1.0 (hosting)
- Turbolinux Appliance Server 1.0 (workgroup)
- Turbolinux Appliance Server 2.0
- Turbolinux FUJI
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux Server 10
- Turbolinux Server 10 (x64)
- Turbolinux Server 11
- Turbolinux Server 11 (x64)
Hewlett-Packard Development Company,L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux 2.1 (as)
- Red Hat Enterprise Linux 3 (as)
- Red Hat Enterprise Linux 4 (as)
- Red Hat Enterprise Linux 2.1 (es)
- Red Hat Enterprise Linux 3 (es)
- Red Hat Enterprise Linux 4 (es)
- Red Hat Enterprise Linux 2.1 (ws)
- Red Hat Enterprise Linux 3 (ws)
- Red Hat Enterprise Linux 4 (ws)
- Red Hat Enterprise Linux Desktop 3.0
- Red Hat Enterprise Linux Desktop 4.0
- Red Hat Enterprise Linux Desktop 5.0 (client)
- Red Hat Linux Advanced Workstation 2.1
- RHEL Desktop Workstation 5 (client)
Hitachi, Ltd
- Hitachi Web Server
- uCosminexus Application Server Enterprise
- uCosminexus Application Server Standard
- uCosminexus Service Platform
FUJITSU
- Interstage Application Framework Suite
- Interstage Application Server
- Interstage Apworks
- Interstage Business Application Server
- Interstage Job Workload Server
- Interstage Studio
- Interstage Web Server
- Systemwalker Resource Coordinator
|
|
|
An attacker could execute arbitrary scripts on the user's web browser.
|
|
Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
|
|
Apache Software Foundation
Apple Inc.
Cybertrust Japan Co., Ltd.
- Asianux Technical Support Network : httpd-2.2.3-11.3.1AX
- MIRACLE LINUX Update Information : 1205 (Japanese)
- MIRACLE LINUX Update Information : 1224 (Japanese)
- MIRACLE LINUX Update Information : 1221 (Japanese)
Turbolinux, Inc.
Hewlett-Packard Development Company,L.P
Red Hat, Inc.
Hitachi, Ltd
- Hitachi Software Vulnerability Information : HS07-041
FUJITSU
|
|
- Cross-site Scripting(CWE-79) [NVD Evaluation]
|
|
- CVE-2007-4465
|
|
- JVN Status Tracking Notes : TRTA08-150A
- National Vulnerability Database (NVD) : CVE-2007-4465
- US-CERT Cyber Security Alerts : SA08-150A
- US-CERT Technical Cyber Security Alert : TA08-150A
- SecurityFocus : 25653
- ISS X-Force Database : 36586
- SecurityTracker : 1019194
|
|
- [2008/05/21]
Web page published
[2008/06/17]
Affected Products : Added Apple Inc(Security Update 2008-003).
Vendor Information : Added Apple Inc(Security Update 2008-003).
[2009/08/05]
Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
Affected Products : Added FUJITSU (interstage-200807e).
Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
Vendor Information : Added FUJITSU (interstage-200807e).
[2009/11/16]
Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02465).
|
