jvndb-2007-001022
Vulnerability from jvndb
Published
2008-05-21 00:00
Modified
2009-11-16 11:52
Severity ?
() - -
Summary
Apache UTF-7 Encoding Cross-Site Scripting Vulnerability
Details
The mod_autoindex.c module in Apache HTTP Server is vulnerable to a cross-site scripting attack. When the charset on a server-generated page is undefined, the vulnerability allows attackers to inject arbitrary scripts or HTML via the P parameter using the UTF-7 charset.
References
JVNTR http://jvn.jp/en/tr/TRTA08-150A/index.html
CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
NVD http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
CERT-SA http://www.us-cert.gov/cas/alerts/SA08-150A.html
CERT-TA http://www.us-cert.gov/cas/techalerts/TA08-150A.html
BID http://www.securityfocus.com/bid/25653
XF http://xforce.iss.net/xforce/xfdb/36586
SECTRACK http://www.securitytracker.com/id?1019194
Cross-site Scripting(CWE-79) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
Apache Software FoundationApache HTTP Server
FUJITSUInterstage Application Framework Suite
FUJITSUInterstage Application Server
FUJITSUInterstage Apworks
FUJITSUInterstage Business Application Server
FUJITSUInterstage Job Workload Server
FUJITSUInterstage Studio
FUJITSUInterstage Web Server
FUJITSUSystemwalker Resource Coordinator
Hitachi, LtdHitachi Web Server
Hitachi, LtduCosminexus Application Server
Hitachi, LtduCosminexus Service
Apple Inc.Apple Mac OS X Server
Hewlett-Packard Development Company,L.PHP-UX
Cybertrust Japan Co., Ltd.Asianux Server
Red Hat, Inc.Red Hat Enterprise Linux
Red Hat, Inc.Red Hat Enterprise Linux Desktop
Red Hat, Inc.Red Hat Linux Advanced Workstation
Red Hat, Inc.RHEL Desktop Workstation
Turbolinux, Inc.Turbolinux Appliance Server
Turbolinux, Inc.Turbolinux FUJI
Turbolinux, Inc.Turbolinux Multimedia
Turbolinux, Inc.Turbolinux Personal
Turbolinux, Inc.Turbolinux Server
Show details on JVN DB website

To clipboard 

{
   "@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-001022.html",
   "dc:date": "2009-11-16T11:52+09:00",
   "dcterms:issued": "2008-05-21T00:00+09:00",
   "dcterms:modified": "2009-11-16T11:52+09:00",
   description: "The mod_autoindex.c module in Apache HTTP Server is vulnerable to a cross-site scripting attack. When the charset on a server-generated page is undefined, the vulnerability allows attackers to inject arbitrary scripts or HTML via the P parameter using the UTF-7 charset.",
   link: "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-001022.html",
   "sec:cpe": [
      {
         "#text": "cpe:/a:apache:http_server",
         "@product": "Apache HTTP Server",
         "@vendor": "Apache Software Foundation",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_application_framework_suite",
         "@product": "Interstage Application Framework Suite",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_application_server",
         "@product": "Interstage Application Server",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_apworks",
         "@product": "Interstage Apworks",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_business_application_server",
         "@product": "Interstage Business Application Server",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_job_workload_server",
         "@product": "Interstage Job Workload Server",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_studio",
         "@product": "Interstage Studio",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:interstage_web_server",
         "@product": "Interstage Web Server",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:fujitsu:systemwalker_resource_coordinator",
         "@product": "Systemwalker Resource Coordinator",
         "@vendor": "FUJITSU",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:hitachi:hitachi_web_server",
         "@product": "Hitachi Web Server",
         "@vendor": "Hitachi, Ltd",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:hitachi:ucosminexus_application_server",
         "@product": "uCosminexus Application Server",
         "@vendor": "Hitachi, Ltd",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/a:hitachi:ucosminexus_service",
         "@product": "uCosminexus Service",
         "@vendor": "Hitachi, Ltd",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:apple:mac_os_x_server",
         "@product": "Apple Mac OS X Server",
         "@vendor": "Apple Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:hp:hp-ux",
         "@product": "HP-UX",
         "@vendor": "Hewlett-Packard Development Company,L.P",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:misc:miraclelinux_asianux_server",
         "@product": "Asianux Server",
         "@vendor": "Cybertrust Japan Co., Ltd.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:redhat:enterprise_linux",
         "@product": "Red Hat Enterprise Linux",
         "@vendor": "Red Hat, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:redhat:enterprise_linux_desktop",
         "@product": "Red Hat Enterprise Linux Desktop",
         "@vendor": "Red Hat, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:redhat:linux_advanced_workstation",
         "@product": "Red Hat Linux Advanced Workstation",
         "@vendor": "Red Hat, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:redhat:rhel_desktop_workstation",
         "@product": "RHEL Desktop Workstation",
         "@vendor": "Red Hat, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:turbolinux:turbolinux_appliance_server",
         "@product": "Turbolinux Appliance Server",
         "@vendor": "Turbolinux, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:turbolinux:turbolinux_fuji",
         "@product": "Turbolinux FUJI",
         "@vendor": "Turbolinux, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:turbolinux:turbolinux_multimedia",
         "@product": "Turbolinux Multimedia",
         "@vendor": "Turbolinux, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:turbolinux:turbolinux_personal",
         "@product": "Turbolinux Personal",
         "@vendor": "Turbolinux, Inc.",
         "@version": "2.2",
      },
      {
         "#text": "cpe:/o:turbolinux:turbolinux_server",
         "@product": "Turbolinux Server",
         "@vendor": "Turbolinux, Inc.",
         "@version": "2.2",
      },
   ],
   "sec:cvss": {
      "@score": "4.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
      "@version": "2.0",
   },
   "sec:identifier": "JVNDB-2007-001022",
   "sec:references": [
      {
         "#text": "http://jvn.jp/en/tr/TRTA08-150A/index.html",
         "@id": "TRTA08-150A",
         "@source": "JVNTR",
      },
      {
         "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465",
         "@id": "CVE-2007-4465",
         "@source": "CVE",
      },
      {
         "#text": "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465",
         "@id": "CVE-2007-4465",
         "@source": "NVD",
      },
      {
         "#text": "http://www.us-cert.gov/cas/alerts/SA08-150A.html",
         "@id": "SA08-150A",
         "@source": "CERT-SA",
      },
      {
         "#text": "http://www.us-cert.gov/cas/techalerts/TA08-150A.html",
         "@id": "TA08-150A",
         "@source": "CERT-TA",
      },
      {
         "#text": "http://www.securityfocus.com/bid/25653",
         "@id": "25653",
         "@source": "BID",
      },
      {
         "#text": "http://xforce.iss.net/xforce/xfdb/36586",
         "@id": "36586",
         "@source": "XF",
      },
      {
         "#text": "http://www.securitytracker.com/id?1019194",
         "@id": "1019194",
         "@source": "SECTRACK",
      },
      {
         "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
         "@id": "CWE-79",
         "@title": "Cross-site Scripting(CWE-79)",
      },
   ],
   title: "Apache UTF-7 Encoding Cross-Site Scripting Vulnerability",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.