ISS X-Force Database: apache-modstatus-xss(35097): Apache HTTP Server mod

Apache HTTP Server mod_status module cross-site scripting

apache-modstatus-xss (35097)

Medium Risk

Description:

Apache HTTP Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the mod_status module. If the server-status page is publicly available and ExtendedStatus is enabled, a remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Platforms Affected:

Apache, HTTP Server 1.3.37
Apache, HTTP Server 1.3.38 Dev
Apache, HTTP Server 2.0.59
Apache, HTTP Server 2.0.60 Dev
Apache, HTTP Server 2.2.4
Apache, HTTP Server 2.2.5 Dev
Avaya, Message Networking
Avaya, Message Storage Server 3.0
Canonical, Ubuntu 6.06 LTS
Canonical, Ubuntu 6.10
Canonical, Ubuntu 7.04
FUJITSU, Interstage Application Server Ent. Ed 5.0 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 5.0 (Turbolinux)
FUJITSU, Interstage Application Server Ent. Ed 5.0.1 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 6.0 (RHEL)
FUJITSU, Interstage Application Server Ent. Ed 6.0 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 7.0 (RHEL)
FUJITSU, Interstage Application Server Ent. Ed 7.0 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 7.0.1 (RHEL)
FUJITSU, Interstage Application Server Ent. Ed 7.0.1 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 8.0.0 (RHEL)
FUJITSU, Interstage Application Server Ent. Ed 8.0.0 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 8.0.2 (RHEL)
FUJITSU, Interstage Application Server Ent. Ed 8.0.2 (Solaris)
FUJITSU, Interstage Application Server Ent. Ed 9.0.0 Solaris
FUJITSU, Interstage Application Server Ent. Ed 9.0.0 RHEL
FUJITSU, Interstage Application Server Plus 7.0 (RHEL)
FUJITSU, Interstage Application Server Plus 7.0 (Solaris)
FUJITSU, Interstage Application Server Plus 7.0.1 (RHEL)
FUJITSU, Interstage Application Server Plus 7.0.1 (Solaris)
FUJITSU, Interstage Application Server Std Ed 5.0 (Solaris)
FUJITSU, Interstage Application Server Std Ed 5.0 (Turbolinux)
FUJITSU, Interstage Application Server Std J 8.0.0 (RHEL)
FUJITSU, Interstage Application Server Std J 8.0.2 (RHEL)
FUJITSU, Interstage Application Server Std J 9.0.0 RHEL
FUJITSU, Interstage Application Server Std. J 8.0.0 (Solaris)
FUJITSU, Interstage Application Server Web - J Ed 5.0 (Solaris)
FUJITSU, Interstage Application Server Web - J Ed 5.0 (Turbolinux)
FUJITSU, Interstage Business App. Server Ent. Ed 8.0.0 (RHEL)
FUJITSU, Interstage Job Workload Server 8.1.0 (RHEL)
Gentoo, Linux
Hitachi, Hitachi Web Server for AIX 01-01 to 01-02-/E
Hitachi, Hitachi Web Server for AIX 02-00 to 02-04-/B
Hitachi, Hitachi Web Server for AIX 03-00
Hitachi, Hitachi Web Server for AIX 03-10
Hitachi, Hitachi Web Server for HP-UX (IPF) 02-02 to 02-04-/B
Hitachi, Hitachi Web Server for HP-UX (IPF) 03-00
Hitachi, Hitachi Web Server for HP-UX 10.20 01-00 to 01-02-/D
Hitachi, Hitachi Web Server for HP-UX 11.00 01-00 to 01-02-/D
Hitachi, Hitachi Web Server for HP-UX 11.00 02-00 to 02-04-/B
Hitachi, Hitachi Web Server for HP-UX 11.00 03-00
Hitachi, Hitachi Web Server for Linux 01-01 to 01-01-/D
Hitachi, Hitachi Web Server for Linux 02-00 to 02-00-/A
Hitachi, Hitachi Web Server for Linux 02-02 to 02-06-/A
Hitachi, Hitachi Web Server for Linux 03-00 to 03-00-01
Hitachi, Hitachi Web Server for Linux (IPF) 02-02 to 02-04-/B
Hitachi, Hitachi Web Server for Linux (IPF) 03-00 to 03-00-01
Hitachi, Hitachi Web Server for Solaris 01-00 to 01-02-/D
Hitachi, Hitachi Web Server for Solaris 02-00 to 02-04-/B
Hitachi, Hitachi Web Server for Solaris 03-00
Hitachi, Hitachi Web Server for Turbolinux 01-01
Hitachi, Hitachi Web Server for Turbolinux 02-00
Hitachi, Hitachi Web Server for Windows 02-00 to 02-04-/D
Hitachi, Hitachi Web Server for Windows 03-00 to 03-00-01
Hitachi, Hitachi Web Server for Windows 03-10
Hitachi, Hitachi Web Server for Windows (IPF) 02-03 to 02-04-/A
HP, HP-UX B.11.11
HP, HP-UX B.11.23
HP, HP-UX B.11.31
IBM, HTTP Server 2.0.47
IBM, HTTP Server 6.0.2.22
IBM, HTTP Server 6.1
IBM, HTTP Server 6.1.0.12
MandrakeSoft, Mandrake Linux 2007
MandrakeSoft, Mandrake Linux 2007 X86_64
MandrakeSoft, Mandrake Linux 2007.1
MandrakeSoft, Mandrake Linux 2007.1 X86_64
MandrakeSoft, Mandrake Linux 2008.0 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Linux Corporate Server 4.0
MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
MandrakeSoft, Mandrake Multi Network Firewall 2.0
Novell, Linux Desktop 9
Novell, Linux Desktop 9 SDK
Novell, Linux POS 9
Novell, Open Enterprise Server
Novell, Open Enterprise Server
Novell, OpenSUSE 10.2
Novell, OpenSUSE 10.3
Novell, SLE SDK 10 SP1
Novell, SUSE Linux Enterprise Desktop 10 SP1
Novell, SUSE Linux Enterprise Server 10
Novell, SUSE Linux Enterprise Server 10 SP1
RedHat, Application Stack v1 for EL AS 4
RedHat, Application Stack v1 for EL ES 4
RedHat, Enterprise Linux 2.1 ES
RedHat, Enterprise Linux 2.1 AS
RedHat, Enterprise Linux 2.1 WS
RedHat, Enterprise Linux 3 WS
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 4 AS
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 Desktop
RedHat, Enterprise Linux 5 Client
RedHat, Enterprise Linux 5 Client Workstation
RedHat, Enterprise Linux 5
RedHat, Enterprise Linux Desktop 5.0
RedHat, Linux Advanced Workstation 2.1 Itanium
RedHat, Network Proxy 4.2
RedHat, Network Proxy 5.0
RedHat, Network Satellite Server 4.2
RedHat, Network Satellite Server 5.0
SuSE, SLE SDK 10
SuSE, SuSE Linux 10.0
SuSE, SuSE Linux 10.1
SuSE, SuSE SLES 9
Turbolinux, Turbolinux 10 Server
Turbolinux, Turbolinux 10 Server x64 Ed
Turbolinux, Turbolinux FUJI
Turbolinux, Turbolinux Appliance Server 2.0

Remedy:

For Red Hat Linux (httpd):
Refer to RHSA-2007:0556-2 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux (apache):
Refer to MDKSA-2007:140 for patch, upgrade, or suggested workaround information. See References.

For Turbolinux (libwpd):
Refer to TLSA-2007-41 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux (apache2):
Refer to USN-499-1 for patch, upgrade, or suggested workaround information. See References.

For Avaya (httpd):
Refer to ASA-2007-353 for patch, upgrade, or suggested workaround information. See References.

For IBM (IBM HTTP Server):
Refer to APAR PK49295 for patch, upgrade, or suggested workaround information. See References.

For IBM HTTP SERVER (2.0.47):
Refer to APAR PK53584 for patch, upgrade, or suggested workaround information. See References.

For IBM HTTP Server for WebSphere:
Refer to APAR PK52702 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

Apache HTTP Server Web site, Welcome! - The Apache HTTP Server Project at http://httpd.apache.org/.
Apache Web site , moderate: mod_status cross-site scripting CVE-2006-5752 at http://httpd.apache.org/security/.
APAR PK49295, CVE-2006-5752 MOD_STATUS CROSS-SITE SCRIPTING VULNERABILITY at http://www-1.ibm.com/support/docview.wss?uid=swg1PK49295.
APAR PK52702, Z/OS IBM HTTP SERVER FOR WEBSPHERE (POWERED BY APACHE) FIX PACK 6.1.0.13 at http://www-1.ibm.com/support/docview.wss?uid=swg1PK52702.
APAR PK53584, IBM HTTP SERVER 2.0.47 CUMULATIVE E-FIX at http://www-1.ibm.com/support/docview.wss?rs=203&context=SW000&dc=DB550&dc=D100&q1=Security+vulnerability&uid=swg1PK53584&loc=en_US&cs=UTF-8&lang=all.
FUJITSU Web site, Cross site scripting (XSS) and denial of service (DoS) vulnerabilities in Interstage HTTP Server. January 22nd, 2008 at http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html.
HPSBUX02262 SSRT071447, HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795.
HS07-035 , Cross-Site Scripting Vulnerability in Hitachi Web Server Function for Creating Server-Status Pages at http://www.hitachi-support.com/security_e/vuls_e/HS07-035_e/index-e.html.
Nortel BULLETIN ID: 2008008602, Rev 1, Nortel Response to Apache 1.3 and 2.0 Web Server Daemon Vulnerabilities at http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=689039#PRODUCTS.
Sun Alert ID: 103179, Security Vulnerabilities in the Apache 1.3 and 2.0 Web Server Daemon and "mod_status" Module May Lead to Cross Site Scripting (XSS) or Denial of Service (DoS). at http://sunsolve.sun.com/search/document.do?assetkey=1-26-103179-1.
ASA-2007-288: Apache security update (RHSA-2007-0532)
ASA-2007-327: httpd security update (RHSA-2007-0533 and RHSA-2007-0534)
ASA-2007-353: httpd security update (RHSA-2007-0557)
ASA-2007-416: HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) (HPSBUX02262)
ASA-2008-012: Security Vulnerabilities in the Apache 1.3 and 2.0 Web Server Daemon and "mod_status" Module May Lead to Cross Site Scripting (XSS) or Denial of Service (DoS) (SUN 103179)
BID-24645: Apache HTTP Server Mod_Status Cross-Site Scripting Vulnerability
BID-26271: Hitachi Web Server HTML Injection Vulnerability and Signature Forgery Vulnerability
CVE-2006-5752: Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform charset detection when the content-type is not specified.
CVE-2007-5809: Cross-site scripting (XSS) vulnerability in Hitachi Web Server 01-00 through 03-10, as used by certain Cosminexus products, allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP requests that trigger creation of a server-status page.
GLSA-200711-06: Apache: Multiple vulnerabilities
MDKSA-2007:140: Updated apache packages fix multiple security issues
MDKSA-2007:141: Updated apache packages fix multiple security issues
MDKSA-2007:142: Updated apache packages fix multiple security issues
RHSA-2007-0532: Moderate: apache security update
RHSA-2007-0533: Moderate: httpd security update
RHSA-2007-0534: Moderate: httpd security update
RHSA-2007-0556: Moderate: httpd security update
RHSA-2007-0557: Moderate: httpd security update
RHSA-2008-0261: Moderate: Red Hat Network Satellite Server security update
RHSA-2008-0263: Low: Red Hat Network Proxy Server security update
RHSA-2008-0523: Low: Red Hat Network Proxy Server security update
RHSA-2008-0524: Low: Red Hat Network Satellite Server security update
SA26273: Apache Denial of Service and Cross-Site Scripting
SA26458: IBM HTTP Server "mod_status" Cross-Site Scripting
SA26508: Avaya Products Perl Net::DNS and Apache Vulnerabilities
SA26993: IBM WebSphere Application Server for z/OS HTTP Server Vulnerabilities
SA27421: Hitachi Web Server Multiple Vulnerabilities
SA28212: Sun Solaris Apache Cross-Site Scripting and Denial of Service
SA28224: Sun Solaris Apache Cross-Site Scripting and Denial of Service
SA28606: Interstage HTTP Server Multiple Vulnerabilities
SECTRACK ID: 1018302: Apache mod_status Input Validation Hole Permits Cross-Site Scripting Attacks
SUSE-SA:2007:061: Apache2 security issues

Reported:

Jun 26, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page