Apache Mod_AutoIndex.C Undefined Charset Cross-Site Scripting Vulnerability

2015年7月21日

危険度: : 中

CVE識別番号: CVE-2007-4465

概要

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

トレンドマイクロの対策

Apply associated Trend Micro DPI Rules.

対応方法

Trend Micro Deep Security DPI Rule Number: 1000552

Trend Micro Deep Security DPI Rule Name: 1000552 - Generic Cross Site Scripting(XSS) Prevention

影響を受けるソフトウェア

apache http_server 2.0
apache http_server 2.0.28
apache http_server 2.0.32
apache http_server 2.0.34
apache http_server 2.0.35
apache http_server 2.0.36
apache http_server 2.0.37
apache http_server 2.0.38
apache http_server 2.0.39
apache http_server 2.0.40
apache http_server 2.0.41
apache http_server 2.0.42
apache http_server 2.0.43
apache http_server 2.0.44
apache http_server 2.0.45
apache http_server 2.0.46
apache http_server 2.0.47
apache http_server 2.0.48
apache http_server 2.0.49
apache http_server 2.0.50
apache http_server 2.0.51
apache http_server 2.0.52
apache http_server 2.0.53
apache http_server 2.0.54
apache http_server 2.0.55
apache http_server 2.0.56
apache http_server 2.0.57
apache http_server 2.0.58
apache http_server 2.0.59
apache http_server 2.0.60
apache http_server 2.0.61
apache http_server 2.0.9
apache http_server 2.1
apache http_server 2.1.1
apache http_server 2.1.2
apache http_server 2.1.3
apache http_server 2.1.4
apache http_server 2.1.5
apache http_server 2.1.6
apache http_server 2.1.7
apache http_server 2.1.8
apache http_server 2.2
apache http_server 2.2.1
apache http_server 2.2.2
apache http_server 2.2.3
apache http_server 2.2.4
apache http_server 2.2.5