The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: Cross Site Scripting of modules

Synthesis of the vulnerability 

An attacker can trigger several Cross Site Scripting in the mod_info, mod_status, mod_imagemap, mod_ldap and mod_proxy_ftp modules, in order to execute JavaScript code in the context of the web site.
Vulnerable software: Apache httpd, Debian, Fedora, HP-UX, NSMXpress, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware.
Severity of this announce: 2/4.
Creation date: 25/02/2013.
Références of this computer vulnerability: BID-58165, c03734195, CERTA-2013-AVI-153, CERTA-2013-AVI-387, CERTA-2013-AVI-543, CERTA-2013-AVI-590, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2015-AVI-286, CVE-2012-3499, DSA-2637-1, FEDORA-2013-4541, HPSBUX02866, JSA10685, MDVSA-2013:015, MDVSA-2013:015-1, openSUSE-SU-2013:0629-1, openSUSE-SU-2013:0632-1, RHSA-2013:0815-01, RHSA-2013:1012-01, RHSA-2013:1013-01, RHSA-2013:1207-01, RHSA-2013:1208-01, RHSA-2013:1209-01, SSA:2013-062-01, SSRT101139, VIGILANCE-VUL-12457.

Description of the vulnerability 

The Apache httpd service can use several modules.

However, the mod_info, mod_status, mod_imagemap, mod_ldap and mod_proxy_ftp modules do not correctly validate received data before displaying them in the generated web document.

An attacker can therefore trigger several Cross Site Scripting in the mod_info, mod_status, mod_imagemap, mod_ldap and mod_proxy_ftp modules, in order to execute JavaScript code in the context of the web site.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat announce impacts software or systems such as Apache httpd, Debian, Fedora, HP-UX, NSMXpress, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware.

Our Vigil@nce team determined that the severity of this computer vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity alert.

Solutions for this threat 

Apache httpd: version 2.4.4.
The version 2.4.4 is fixed:
  http://httpd.apache.org/
  http://archive.apache.org/dist/httpd/

Apache httpd: version 2.2.24.
The version 2.2.24 is fixed:
  http://httpd.apache.org/download.cgi

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.16-6+squeeze11

Fedora 18: new httpd packages.
New packages are available:
  httpd-2.4.4-2.fc18

HP-UX: fixed versions for Apache and Tomcat.
The following versions are fixed:
  HP-UX B.11.23 :
    Apache : B.2.2.15.15
  HP-UX B.11.31 :
    Apache : B.2.2.15.15
    Tomcat : C.6.0.36.01, D.7.0.35.01
The updates are available at:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW326

Juniper NSMXpress: solution for Apache.
Versions Upgrade Package v4, NSM 2012.2R9 are fixed.

Mandriva: new apache packages.
New packages are available:
  apache-2.2.24-0.1-mdv2011.0
  apache-2.2.24-0.1mdvmes5.2
  apache-2.2.24-1.mbs1

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.4 : apache2-2.2.17-4.68.1
  openSUSE 12.1 : apache2-2.2.21-3.13.1
  openSUSE 12.2 : apache2-2.2.22-4.14.1
  openSUSE 12.3 : apache2-2.2.22-10.4.1

Red Hat JBoss Enterprise Application Platform: versions 6.1.1.
Versions 6.1.1 are fixed.

RHEL: Jboss Web Server version 2.0.1.
The version JBoss Web Server 2.0.1 is fixed:
  apache-commons-daemon-eap6-1.0.15-4.redhat_1.ep6
  apache-commons-daemon-jsvc-eap6-1.0.15-1.redhat_1.ep6
  apache-commons-pool-eap6-1.6-6.redhat_4.ep6
  dom4j-1.6.1-19.redhat_5.ep6
  ecj3-3.7.2-6.redhat_1.ep6
  httpd-2.2.22-23.ep6
  mod_cluster-1.2.4-1.Final_redhat_1.ep6
  mod_cluster-native-1.2.4-1.Final.redhat_1.ep6
  mod_jk-1.2.37-2.redhat_1.ep6
  tomcat-native-1.1.27-4.redhat_1.ep6
  tomcat6-6.0.37-8_patch_01.ep6
  tomcat7-7.0.40-9_patch_01.ep6

RHEL: new httpd packages.
New packages are available:
  httpd-2.2.3-78.el5_9
  httpd-2.2.15-28.el6_4

Slackware: new httpd packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.24-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.24-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.24-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.24-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.24-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.24-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.24-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.24-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.4-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.4-x86_64-1_slack14.0.txz

Solaris 10: patch for Apache HTTP server.
A patch is available in from Oracle support.

Solaris 10: patch for Apache HTTP Server.
A patch is available:
  SPARC: 120543-32
  X86: 120544-32

Solaris 11.1: version 11.1.11.4.0.
The version 11.1.11.4.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1584262.1

Solaris 11: version 11.1.7.5.0.
The version 11.1.7.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1554870.1

Solaris 8, 9, 10: patch for Apache HTTP Server.
A patch is available:
  Solaris 8 :
    SPARC: 116973-10
    X86: 116974-10
  Solaris 9 :
    SPARC: 113146-16
    X86: 114145-15
  Solaris 10 :
    SPARC: 122911-32
    X86: 122912-32
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a system vulnerability workaround. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.