|Bugzilla:||289511: CVE-2007-4465 mod_autoindex XSS|
The MITRE CVE dictionary describes this issue as:
Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.
This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive and are using directory indexes. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Red Hat security errata
|Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (httpd)||RHSA-2007:0911||October 25, 2007|
|Red Hat Application Stack v2 for Enterprise Linux (v.5) (httpd)||RHSA-2007:0911||October 25, 2007|
|Red Hat Certificate System 7.3 for 4AS||RHSA-2010:0602||August 04, 2010|
|Red Hat Enterprise Linux version 2.1 (apache)||RHSA-2008:0004||January 15, 2008|
|Red Hat Enterprise Linux version 3 (httpd)||RHSA-2008:0005||January 15, 2008|
|Red Hat Enterprise Linux version 4 (httpd)||RHSA-2008:0006||January 15, 2008|
|Red Hat Enterprise Linux version 5 (httpd)||RHSA-2008:0008||January 15, 2008|
|Red Hat Satellite 5.0 (RHEL v.4 AS)||RHSA-2008:0261||May 20, 2008|
|Red Hat Satellite Proxy v 4.2 (RHEL v.3 AS)||RHSA-2008:0523||June 30, 2008|
|Red Hat Satellite Proxy v 4.2 (RHEL v.4 AS)||RHSA-2008:0523||June 30, 2008|
|Red Hat Satellite v 4.2 (RHEL v.3 AS)||RHSA-2008:0524||June 30, 2008|
|Red Hat Satellite v 4.2 (RHEL v.4 AS)||RHSA-2008:0524||June 30, 2008|
This page is generated automatically and has not been checked for errors or omissions.
For clarification or corrections please contact the Red Hat Security Response Team.