Cross-site scripting vulnerabilities in multiple Apache modules

Vulnerabilities have been found in multiple modules for the Apache web server, used by over half the world's web sites. Three modules are affected by cross-site scripting vulnerabilities, while a fourth could allow a denial of service attack. The affected modules include mod_status, mod_proxy_ftp, mod_proxy_balancer, mod_autoindex (Apache 1.3.x only) and mod_imagemap. In the case of mod_status, for example, addition of a semicolon allows injection of an additional URL. In principle the bug could also be exploited for redirects to phishing websites, or allow an attacker to execute JavaScript in a victim's browser. The problem is caused by inadequate filtering of arguments or URLs. Apache versions 1.3.x, 2.0.x and 2.2.x are affected.

The vulnerabilities, none of which are classed as critical, are fixed in Apache versions 2.2.7-dev, 1.3.40-dev and 2.0.62-dev. Linux distributors such as Red Hat and Mandriva have already released bug-fixed versions of these modules.

See also:

• Apache2 CSRF, XSS, Memory Corruption and Denial of Service Vulnerability, security advisory from SecurityReason
• Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability, security advisory from SecurityReason
• Apache (mod_status) Refresh Header - Open Redirector (XSS), security advisory from SecurityReason
• httpd security update, security advisory from Red Hat
• Updated apache 2.2.x packages fix multiple vulnerabilities, security advisory from Mandriva

(mba)