CVE-2007-6388 - Cross-Site Scripting (XSS) vulnerability in Apache Http Server

Publication

2008-01-08

Last modification

2018-10-30

Summary

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Description

The Apache HTTP Server 'mod_status' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Reportedly, attackers can also use this issue to redirect users' browsers to arbitrary locations, which may aid in phishing attacks.The issue affects versions prior to Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev.

Solution

Updates are available. Please see the references for more information. Fujitsu INTERSTAGE Application Server Enterprise Edition 6.0 Fujitsu INTS-APSREEG6.0_PUF_T0103S-07A.tar.Z for Solaris http://www.fujitsu.com/downloads/SEC/INTS-APSREEG6.0_PUF_T0103S-07A.ta r.Z Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0 Fujitsu INTS-APSREE7.0_PUF_T013RS-06.tar.Z for Solaris http://www.fujitsu.com/downloads/SEC/INTS-APSREE7.0_PUF_T013RS-06.tar. Z Fujitsu TP09823.exe for Windows http://www.fujitsu.com/downloads/SEC/TP09823.exe Fujitsu INTERSTAGE Application Server Enterprise Edition 5.0 Fujitsu 912327-11.tar.Z for Solaris http://www.fujitsu.com/downloads/SEC/912327-11.tar.Z Fujitsu TP09823.exe for Windows http://www.fujitsu.com/downloads/SEC/TP09823.exe Apple Mac OS X Server 10.5 Apple Security Update 2008-003 Server (PPC) http://www.apple.com/support/downloads/securityupdate2008003serverppc. html Apple Security Update 2008-003 Server (Universal) http://www.apple.com/support/downloads/securityupdate2008003serveruniv ersal.html Apple Mac OS X 10.4.11 Apple SecUpd2008-002PPC.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002PPC.dmg Apple SecUpd2008-002Univ.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpd2008-002Univ.dmg Apple Security Update 2008-003 (Intel) http://www.apple.com/support/downloads/securityupdate2008003intel.html Apple Security Update 2008-003 (PPC) http://www.apple.com/support/downloads/securityupdate2008003ppc.html Apple Mac OS X Server 10.5.2 Apple SecUpdSrvr2008-002.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat= 57&platform=osx&method=sa/SecUpdSrvr2008-002.dmg Apple Security Update 2008-003 Server (PPC) http://www.apple.com/support/downloads/securityupdate2008003serverppc. html Apple Security Update 2008-003 Server (Universal) http://www.apple.com/support/downloads/securityupdate2008003serveruniv ersal.html Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1 Fujitsu INTS-APSREE7.0.1_PUF_T023AS-05.tar.Z for Solaris http://www.fujitsu.com/downloads/SEC/INTS-APSREE7.0.1_PUF_T023AS-05.ta r.Z Fujitsu TP09823.exe for Windows http://www.fujitsu.com/downloads/SEC/TP09823.exe

Exploit

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Classification

CWE-79 - Cross-Site Scripting (XSS)

Risk level (CVSS AV:N/AC:M/Au:N/C:N/I:P/A:N)

Medium

4.3

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Vendor comments

  • Mark J Cox - Apache (2008-07-02)
    Fixed in Apache HTTP Server 2.2.8, 2.0.63 and 1.3.41: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html

OVAL definition

{
    "accepted": "2013-04-29T04:04:12.850-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Aharon Chernin",
            "organization": "SCAP.com, LLC"
        },
        {
            "name": "Dragos Prisaca",
            "organization": "G2, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 3",
            "oval": "oval:org.mitre.oval:def:11782"
        },
        {
            "comment": "CentOS Linux 3.x",
            "oval": "oval:org.mitre.oval:def:16651"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 4",
            "oval": "oval:org.mitre.oval:def:11831"
        },
        {
            "comment": "CentOS Linux 4.x",
            "oval": "oval:org.mitre.oval:def:16636"
        },
        {
            "comment": "Oracle Linux 4.x",
            "oval": "oval:org.mitre.oval:def:15990"
        },
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 5",
            "oval": "oval:org.mitre.oval:def:11414"
        },
        {
            "comment": "The operating system installed on the system is CentOS Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15802"
        },
        {
            "comment": "Oracle Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15459"
        }
    ],
    "description": "Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:10272",
    "status": "accepted",
    "submitted": "2010-07-09T03:56:16-04:00",
    "title": "Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
    "version": "24"
}

External references