Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-4465

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2007-4465
Last Modified 07 Mar 2011 09:58:37
Published 13 Sep 2007 08:17:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2007-4465

Summary

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Vulnerable Systems

Application

  • Apache Http Server 2.0

  • Apache Http Server 2.0.28

  • Apache Http Server 2.0.32

  • Apache Http Server 2.0.34

  • Apache Http Server 2.0.35

  • Apache Http Server 2.0.36

  • Apache Http Server 2.0.37

  • Apache Http Server 2.0.38

  • Apache Http Server 2.0.39

  • Apache Http Server 2.0.40

  • Apache Http Server 2.0.41

  • Apache Http Server 2.0.42

  • Apache Http Server 2.0.43

  • Apache Http Server 2.0.44

  • Apache Http Server 2.0.45

  • Apache Http Server 2.0.46

  • Apache Http Server 2.0.47

  • Apache Http Server 2.0.48

  • Apache Http Server 2.0.49

  • Apache Http Server 2.0.50

  • Apache Http Server 2.0.51

  • Apache Http Server 2.0.52

  • Apache Http Server 2.0.53

  • Apache Http Server 2.0.54

  • Apache Http Server 2.0.55

  • Apache Http Server 2.0.56

  • Apache Http Server 2.0.57

  • Apache Http Server 2.0.58

  • Apache Http Server 2.0.59

  • Apache Http Server 2.0.60

  • Apache Http Server 2.0.61

  • Apache Http Server 2.0.9

  • Apache Http Server 2.1

  • Apache Http Server 2.1.1

  • Apache Http Server 2.1.2

  • Apache Http Server 2.1.3

  • Apache Http Server 2.1.4

  • Apache Http Server 2.1.5

  • Apache Http Server 2.1.6

  • Apache Http Server 2.1.7

  • Apache Http Server 2.1.8

  • Apache Http Server 2.2

  • Apache Http Server 2.2.1

  • Apache Http Server 2.2.2

  • Apache Http Server 2.2.3

  • Apache Http Server 2.2.4

  • Apache Http Server 2.2.5


References

CERT - TA08-150A

BID - 25653

VUPEN - ADV-2008-1697

BUGTRAQ - 20070912 Apache2 Undefined Charset UTF-7 XSS Vulnerability

CONFIRM - http://www.fujitsu.com/global/support/software/security/products-f/interstage-200807e.html

CONFIRM - http://www.apache.org/dist/httpd/CHANGES_2.2.6

SREASON - 3113

SECUNIA - 35650

SECUNIA - 33105

SECUNIA - 31651

HP - SSRT090192

HP - SSRT090085

HP - HPSBUX02365

FEDORA - FEDORA-2007-707

XF - apache-utf7-xss(36586)

UBUNTU - USN-575-1

REDHAT - RHSA-2008:0261

REDHAT - RHSA-2008:0008

REDHAT - RHSA-2008:0006

REDHAT - RHSA-2008:0005

REDHAT - RHSA-2008:0004

REDHAT - RHSA-2007:0911

FEDORA - FEDORA-2007-2214

SUSE - SUSE-SA:2007:061

MANDRIVA - MDVSA-2008:014

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm

SECTRACK - 1019194

GENTOO - GLSA-200711-06

SECUNIA - 30430

SECUNIA - 28749

SECUNIA - 28607

SECUNIA - 28471

SECUNIA - 28467

SECUNIA - 27732

SECUNIA - 27563

SECUNIA - 26952

SECUNIA - 26842

APPLE - APPLE-SA-2008-05-28

CONFIRM - http://bugs.gentoo.org/show_bug.cgi?id=186219

HP - HPSBUX02465

HP - HPSBUX02431

HP - SSRT080118

Related Patches

Apple 2008-05-28 Security Update 2008-003 (PPC)

Apple 2008-05-28 Security Update 2008-003 Server (PPC)

Apple 2008-05-28 Security Update 2008-003 (Intel)

Apple 2008-05-28 Security Update 2008-003 Server (Universal)


Last Updated: 27 May 2016 10:47:26