Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Производитель ПО
Наименование ПО
Apache HTTP Server
(1.3.0, 1.3.40-dev, 2.0.0, 2.0.62-dev, 2.2.0, 2.2.7-dev)
httpd
(Unknown)
mod_ssl
(Unknown)
Описание
mod_proxy_ftp в Apache не определяет набор символов, что позволяет злоумышленникам, действующим удаленно, проводить атаки межсайтового выполнения сценариев, используя кодировку UTF-7.
Как исправить
Для устранения уязвимости необходимо установить последнюю версию продукта, соответствующую используемой платформе. Необходимую информацию можно получить по адресу:
http://www.apache.org/
http://www.apache.org/
Ссылки
SREASONRES (20080110 Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability): http://securityreason.com/achievement_securityalert/49
XF (apache-modproxyftp-utf7-xss(39615)): http://xforce.iss.net/xforce/xfdb/39615
BUGTRAQ (20080110 SecurityReason - Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability): http://www.securityfocus.com/archive/1/archive/1/486167/100/0/threaded
MANDRIVA (MDVSA-2008:014): http://www.mandriva.com/security/advisories?name=MDVSA-2008:014
MANDRIVA (MDVSA-2008:015): http://www.mandriva.com/security/advisories?name=MDVSA-2008:015
REDHAT (RHSA-2008:0004): http://www.redhat.com/support/errata/RHSA-2008-0004.html
REDHAT (RHSA-2008:0005): http://www.redhat.com/support/errata/RHSA-2008-0005.html
REDHAT (RHSA-2008:0006): http://www.redhat.com/support/errata/RHSA-2008-0006.html
REDHAT (RHSA-2008:0007): http://www.redhat.com/support/errata/RHSA-2008-0007.html
REDHAT (RHSA-2008:0008): http://www.redhat.com/support/errata/RHSA-2008-0008.html
BID (27234): http://www.securityfocus.com/bid/27234
SECTRACK (1019185): http://www.securitytracker.com/id?1019185
MANDRIVA (MDVSA-2008:016): http://www.mandriva.com/security/advisories?name=MDVSA-2008:016
http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm
UBUNTU (USN-575-1): http://www.ubuntu.com/usn/usn-575-1
http://httpd.apache.org/security/vulnerabilities_22.html
XF (apache-modproxyftp-utf7-xss(39615)): http://xforce.iss.net/xforce/xfdb/39615
BUGTRAQ (20080110 SecurityReason - Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability): http://www.securityfocus.com/archive/1/archive/1/486167/100/0/threaded
MANDRIVA (MDVSA-2008:014): http://www.mandriva.com/security/advisories?name=MDVSA-2008:014
MANDRIVA (MDVSA-2008:015): http://www.mandriva.com/security/advisories?name=MDVSA-2008:015
REDHAT (RHSA-2008:0004): http://www.redhat.com/support/errata/RHSA-2008-0004.html
REDHAT (RHSA-2008:0005): http://www.redhat.com/support/errata/RHSA-2008-0005.html
REDHAT (RHSA-2008:0006): http://www.redhat.com/support/errata/RHSA-2008-0006.html
REDHAT (RHSA-2008:0007): http://www.redhat.com/support/errata/RHSA-2008-0007.html
REDHAT (RHSA-2008:0008): http://www.redhat.com/support/errata/RHSA-2008-0008.html
BID (27234): http://www.securityfocus.com/bid/27234
SECTRACK (1019185): http://www.securitytracker.com/id?1019185
MANDRIVA (MDVSA-2008:016): http://www.mandriva.com/security/advisories?name=MDVSA-2008:016
http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm
UBUNTU (USN-575-1): http://www.ubuntu.com/usn/usn-575-1
http://httpd.apache.org/security/vulnerabilities_22.html