|
|
| |
The Apache HTTP Server Project is "an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined".
Mod_proxy_ftp "provides support for the proxying FTP sites. Note that FTP support is currently limited to the GET method." A XSS(UTF7) exist in mod_proxy_ftp.c . Charset is not defined and we can provide XSS attack using ";" char in URL by setting Charset to UTF-7. |
| |
Credit:
The information has been provided by sp3x.
The original article can be found at: http://securityreason.com/achievement_securityalert/46
|
| |
Vulnerable Systems:
* Apache version 2.2.x with mod_proxy_ftp
* Apache version 2.0.x with mod_proxy_ftp
* Apache version 1.3.x with mod_proxy_ftp
Immune Systems:
* Apache version 2.2.7-dev with mod_proxy_ftp
* Apache version 2.0.62-dev with mod_proxy_ftp
* Apache version 1.3.40-dev with mod_proxy_ftp
mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.
CVE Information:
CVE-2008-0005
|
|
|
|
|
