The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: Cross Site Scripting of mod_negotiation

Synthesis of the vulnerability 

When an attacker can upload a file in a directory with MultiViews enabled, he can generate a Cross Site Scripting via the module mod_negotiation of Apache httpd.
Impacted products: Apache httpd, BIG-IP Hardware, TMOS, Fedora, HP-UX, NSMXpress, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL.
Severity of this bulletin: 2/4.
Creation date: 21/08/2012.
Références of this threat: BID-55131, c03734195, c03820647, CERTA-2012-AVI-460, CERTFR-2015-AVI-286, CVE-2012-2687, FEDORA-2013-1661, HPSBUX02866, JSA10685, MDVSA-2012:154, MDVSA-2012:154-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0245-1, openSUSE-SU-2013:0248-1, openSUSE-SU-2013:0629-1, openSUSE-SU-2013:0632-1, openSUSE-SU-2014:1647-1, RHSA-2012:1591-01, RHSA-2012:1592-01, RHSA-2012:1594-01, RHSA-2013:0130-01, RHSA-2013:0512-02, SOL15901, SSRT101139, VIGILANCE-VUL-11877.

Description of the vulnerability 

The mod_negotiation module chooses the best document to transmit to the client, based on his language and encoding. The MultiViews configuration directive enables the automatic choice of the document.

The make_variant_list() function of the modules/mappers/mod_negotiation.c file generates the list of available documents, which is included in HTTP 300 replies (Multiple Choices). However, filenames are not filtered before being included in the generated HTML code.

When an attacker can upload a file in a directory with MultiViews enabled, he can therefore generate a Cross Site Scripting via the module mod_negotiation of Apache httpd.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as Apache httpd, BIG-IP Hardware, TMOS, Fedora, HP-UX, NSMXpress, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL.

Our Vigil@nce team determined that the severity of this vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer threat announce.

Solutions for this threat 

Apache httpd: version 2.4.3.
The version 2.4.3 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: version 2.2.23.
The version 2.2.23 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: patch for mod_negotiation.
A patch is available in information sources.

F5 BIG-IP: fixed versions for Apache.
Fixed versions are indicated in information sources.

Fedora 17: new httpd packages.
New packages are available:
  httpd-2.2.23-1.fc17

HP-UX: fixed versions for Apache and Tomcat.
The following versions are fixed:
  HP-UX B.11.23 :
    Apache : B.2.2.15.15
  HP-UX B.11.31 :
    Apache : B.2.2.15.15
    Tomcat : C.6.0.36.01, D.7.0.35.01
The updates are available at:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW326

HP-UX: patch for Apache.
A patch is available:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWST703501

Juniper NSMXpress: solution for Apache.
Versions Upgrade Package v4, NSM 2012.2R9 are fixed.

Mandriva: new apache packages.
New packages are available:
  apache-*-2.2.23-0.1-mdv2011.0
  apache-*-2.2.23-0.1mdvmes5.2

openSUSE 11.4: new apache2 packages.
New packages are available:
  apache2-2.2.17-4.64.1

openSUSE 12.1: new apache2 packages.
New packages are available:
  apache2-2.2.21-3.9.1

openSUSE 12.2: new apache2 packages.
New packages are available:
  apache2-2.2.22-4.10.1

openSUSE 12.3: new apache2 packages.
New packages are available:
  openSUSE 12.3: apache2 2.2.29-10.16.1

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.4 : apache2-2.2.17-4.68.1
  openSUSE 12.1 : apache2-2.2.21-3.13.1
  openSUSE 12.2 : apache2-2.2.22-4.14.1
  openSUSE 12.3 : apache2-2.2.22-10.4.1

RHEL 5: new httpd packages.
New packages are available:
  httpd-2.2.3-74.el5

RHEL 5: new JBoss Enterprise Application Platform packages.
New packages are available:
  jbossas-jbossweb-native-1.1.24-1.1
  httpd-2.2.22-14

RHEL 6: new httpd packages.
New packages are available:
  httpd-2.2.15-26.el6

Solaris 10: patch for Apache.
A patch is available:
  SPARC : 120543-30 (https://updates.oracle.com/Orion/Services/download?type=readme&bugfix_name=120543-30)
  x86 : 120544-30 (https://updates.oracle.com/Orion/Services/download?type=readme&bugfix_name=120544-30)

Solaris 11: patch 11.1.3.4.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1519192.1

Solaris 8, 9, 10: patch for Apache HTTP Server.
A patch is available:
  Solaris 8 :
    SPARC: 116973-10
    X86: 116974-10
  Solaris 9 :
    SPARC: 113146-16
    X86: 114145-15
  Solaris 10 :
    SPARC: 122911-32
    X86: 122912-32
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerabilities patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.