4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.054 Low
EPSS
Percentile
93.0%
The Apache web server mod_proxy_ftp module contains a cross-site scripting (XSS) vulnerability.
The Apache mod_proxy_ftp module allows the Apache web server to act as a proxy for FTP sites. Filename globbing is the process of using wildcards to match filenames. The mod_proxy_ftp module contains an XSS vulnerability that occurs because the module does not properly filter globbed characters in FTP URIs.
A remote attacker may be able to execute arbitrary Javascript in the context of a site being proxied by the Apache server.
Upgrade
Apache has released updates to address this issue. These updates are available on the Apache SVN server:
http://svn.apache.org/viewvc?view=rev&revision=682868
http://svn.apache.org/viewvc?view=rev&revision=682870
http://svn.apache.org/viewvc?view=rev&revision=682871
Note that vendors who distribute Apache may not have immediately have a version or update that contains these fixes.
Workarounds
* Mozilla Firefox users can use the [NoScript](<http://noscript.net/>) extension to keep Javascript from running in untrusted domains.
* Application firewalls and IPS systems may be able to block certain types of XSS attacks at the network perimeter.
663763
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: August 08, 2008
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
See the below links for more details.
http://svn.apache.org/viewvc?view=rev&revision=682868
http://svn.apache.org/viewvc?view=rev&revision=682870
http://svn.apache.org/viewvc?view=rev&revision=682871
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23663763 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Rapid7 and Apache for information that was used in this report.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2008-2939 |
---|---|
Severity Metric: | 2.70 Date Public: |