[Japanese]

JVNDB-2007-001022

Apache UTF-7 Encoding Cross-Site Scripting Vulnerability

Overview

The mod_autoindex.c module in Apache HTTP Server is vulnerable to a cross-site scripting attack. When the charset on a server-generated page is undefined, the vulnerability allows attackers to inject arbitrary scripts or HTML via the P parameter using the UTF-7 charset.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Apache Software Foundation
  • Apache HTTP Server 2.0.60 and earlier
  • Apache HTTP Server 2.2.5 and earlier
Apple Inc.
  • Apple Mac OS X Server v10.4.11
Turbolinux, Inc.
  • Turbolinux Appliance Server 1.0 (hosting)
  • Turbolinux Appliance Server 1.0 (workgroup)
  • Turbolinux Appliance Server 2.0
  • Turbolinux FUJI
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Server 10
  • Turbolinux Server 10 (x64)
  • Turbolinux Server 11
  • Turbolinux Server 11 (x64)
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
MIRACLE LINUX CORPORATION
  • Asianux Server 3 (x86)
  • Asianux Server 3 (x86-64)
  • Asianux Server 2.0
  • Asianux Server 2.1
  • Asianux Server 3.0
  • Asianux Server 3.0 (x86-64)
  • Asianux Server 4.0
  • Asianux Server 4.0 (x86-64)
Red Hat, Inc.
  • Red Hat Enterprise Linux 5 (server)
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux 4 (ws)
  • Red Hat Enterprise Linux Desktop 3.0
  • Red Hat Enterprise Linux Desktop 4.0
  • Red Hat Enterprise Linux Desktop 5.0 (client)
  • Red Hat Linux Advanced Workstation 2.1
  • RHEL Desktop Workstation 5 (client)
Hitachi, Ltd
  • Hitachi Web Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Service Platform
FUJITSU
  • Interstage Application Framework Suite
  • Interstage Application Server
  • Interstage Apworks
  • Interstage Business Application Server
  • Interstage Job Workload Server
  • Interstage Studio
  • Interstage Web Server
  • Systemwalker Resource Coordinator

Impact

An attacker could execute arbitrary scripts on the user's web browser.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Apache Software Foundation Apple Inc. Turbolinux, Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION
  • Asianux Technical Support Network : httpd-2.2.3-11.3.1AX
  • MIRACLE LINUX Update Information : 1205 (Japanese)
  • MIRACLE LINUX Update Information : 1224 (Japanese)
  • MIRACLE LINUX Update Information : 1221 (Japanese)
Red Hat, Inc. Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-041
FUJITSU
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-4465
References

  1. National Vulnerability Database (NVD) : CVE-2007-4465
  2. US-CERT Cyber Security Alerts : SA08-150A
  3. US-CERT Technical Cyber Security Alert : TA08-150A
  4. SecurityFocus : 25653
  5. ISS X-Force Database : 36586
  6. SecurityTracker : 1019194
Revision History

  • [2008/05/21]
      Web page published
    [2008/06/17]
      Affected Products : Added Apple Inc(Security Update 2008-003).
      Vendor Information : Added Apple Inc(Security Update 2008-003).
    [2009/08/05]
      Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
      Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
      Affected Products : Added FUJITSU (interstage-200807e).
      Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02365).
      Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02431).
      Vendor Information : Added FUJITSU (interstage-200807e).
    [2009/11/16]
      Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02465).