Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-0455

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-0455
Last Modified 06 Feb 2013 10:53:05
Published 24 Jan 2008 08:00:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-0455

Summary

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Vulnerable Systems

Application

  • Apache Http Server 1.3

  • Apache Http Server 1.3.1

  • Apache Http Server 1.3.11

  • Apache Http Server 1.3.12

  • Apache Http Server 1.3.14

  • Apache Http Server 1.3.17

  • Apache Http Server 1.3.18

  • Apache Http Server 1.3.19

  • Apache Http Server 1.3.20

  • Apache Http Server 1.3.22

  • Apache Http Server 1.3.23

  • Apache Http Server 1.3.24

  • Apache Http Server 1.3.25

  • Apache Http Server 1.3.26

  • Apache Http Server 1.3.27

  • Apache Http Server 1.3.28

  • Apache Http Server 1.3.29

  • Apache Http Server 1.3.3

  • Apache Http Server 1.3.31

  • Apache Http Server 1.3.32

  • Apache Http Server 1.3.33

  • Apache Http Server 1.3.34

  • Apache Http Server 1.3.35

  • Apache Http Server 1.3.36

  • Apache Http Server 1.3.37

  • Apache Http Server 1.3.39

  • Apache Http Server 2.0

  • Apache Http Server 2.0.28

  • Apache Http Server 2.0.32

  • Apache Http Server 2.0.35

  • Apache Http Server 2.0.36

  • Apache Http Server 2.0.37

  • Apache Http Server 2.0.38

  • Apache Http Server 2.0.39

  • Apache Http Server 2.0.40

  • Apache Http Server 2.0.41

  • Apache Http Server 2.0.42

  • Apache Http Server 2.0.43

  • Apache Http Server 2.0.44

  • Apache Http Server 2.0.45

  • Apache Http Server 2.0.46

  • Apache Http Server 2.0.47

  • Apache Http Server 2.0.48

  • Apache Http Server 2.0.49

  • Apache Http Server 2.0.50

  • Apache Http Server 2.0.51

  • Apache Http Server 2.0.52

  • Apache Http Server 2.0.53

  • Apache Http Server 2.0.54

  • Apache Http Server 2.0.55

  • Apache Http Server 2.0.56

  • Apache Http Server 2.0.58

  • Apache Http Server 2.0.59

  • Apache Http Server 2.0.60

  • Apache Http Server 2.0.61

  • Apache Http Server 2.0.9

  • Apache Http Server 2.2.0

  • Apache Http Server 2.2.2

  • Apache Http Server 2.2.3

  • Apache Http Server 2.2.4

  • Apache Http Server 2.2.5

  • Apache Http Server 2.2.6


References

BID - 27409

BUGTRAQ - 20080122 Apache mod_negotiation Xss and Http Response Splitting

MISC - http://www.mindedsecurity.com/MSA01150108.html

SECTRACK - 1019256

XF - apache-modnegotiation-xss(39867)

SREASON - 3575

GENTOO - GLSA-200803-19

SECUNIA - 29348

SECUNIA - 51607

REDHAT - RHSA-2012:1594

REDHAT - RHSA-2012:1592

REDHAT - RHSA-2012:1591

REDHAT - RHSA-2013:0130

Related Patches

Red Hat 2013:0130-01 RHSA Low: httpd security, bug fix, and enhancement update for RHEL 5 x86


Last Updated: 27 May 2016 11:01:34