The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache httpd: Cross Site Scripting of mod_proxy_balancer

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in Apache httpd mod_proxy_balancer, in order to execute JavaScript code in the context of the web site.
Severity of this threat: 2/4.
Creation date: 25/02/2013.
Références of this weakness: BID-58165, CERTA-2013-AVI-153, CERTA-2013-AVI-387, CERTFR-2014-AVI-112, CERTFR-2015-AVI-286, CVE-2012-4558, DSA-2637-1, FEDORA-2013-4541, JSA10685, MDVSA-2013:015, MDVSA-2013:015-1, openSUSE-SU-2013:0629-1, openSUSE-SU-2013:0632-1, RHSA-2013:0815-01, RHSA-2013:1012-01, RHSA-2013:1013-01, RHSA-2013:1207-01, RHSA-2013:1208-01, RHSA-2013:1209-01, SSA:2013-062-01, VIGILANCE-VUL-12458.

Description of the vulnerability

The Apache httpd mod_proxy_balancer module is used to balance the load between several mod_proxy services.

However, the manager interface of this module does not correctly validate received data before displaying them in the generated web document.

An attacker can therefore trigger a Cross Site Scripting in Apache httpd mod_proxy_balancer, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

This weakness note impacts software or systems such as Apache httpd, Debian, Fedora, NSMXpress, Mandriva Linux, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Slackware.

Our Vigil@nce team determined that the severity of this threat note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat

Apache httpd: version 2.4.4.
The version 2.4.4 is fixed:
  http://httpd.apache.org/
  http://archive.apache.org/dist/httpd/

Apache httpd: version 2.2.24.
The version 2.2.24 is fixed:
  http://httpd.apache.org/download.cgi

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.16-6+squeeze11

Fedora 18: new httpd packages.
New packages are available:
  httpd-2.4.4-2.fc18

Juniper NSMXpress: solution for Apache.
Versions Upgrade Package v4, NSM 2012.2R9 are fixed.

Mandriva: new apache packages.
New packages are available:
  apache-2.2.24-0.1-mdv2011.0
  apache-2.2.24-0.1mdvmes5.2
  apache-2.2.24-1.mbs1

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.4 : apache2-2.2.17-4.68.1
  openSUSE 12.1 : apache2-2.2.21-3.13.1
  openSUSE 12.2 : apache2-2.2.22-4.14.1
  openSUSE 12.3 : apache2-2.2.22-10.4.1

Red Hat JBoss Enterprise Application Platform: versions 6.1.1.
Versions 6.1.1 are fixed.

RHEL: Jboss Web Server version 2.0.1.
The version JBoss Web Server 2.0.1 is fixed:
  apache-commons-daemon-eap6-1.0.15-4.redhat_1.ep6
  apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6
  apache-commons-pool-eap6-1.6-6.redhat_4.ep6
  dom4j-1.6.1-19.redhat_5.ep6
  ecj3-3.7.2-6.redhat_1.ep6
  httpd-2.2.22-23.ep6
  mod_cluster-1.2.4-1.Final_redhat_1.ep6
  mod_cluster-native-1.2.4-1.Final.redhat_1.ep6
  mod_jk-1.2.37-2.redhat_1.ep6
  tomcat-native-1.1.27-4.redhat_1.ep6
  tomcat6-6.0.37-8_patch_01.ep6
  tomcat7-7.0.40-9_patch_01.ep6

RHEL: new httpd packages.
New packages are available:
  httpd-2.2.3-78.el5_9
  httpd-2.2.15-28.el6_4

Slackware: new httpd packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.24-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.24-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.24-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.24-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.24-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.24-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.24-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.24-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.4-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.4-x86_64-1_slack14.0.txz

Solaris 10: patch for Apache HTTP server.
A patch is available in from Oracle support.

Solaris 11: version 11.1.7.5.0.
The version 11.1.7.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1554870.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer security bulletin. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.