CVE Database

CVE-2007-4465

Impact: Low
Public: 2007-09-13
Bugzilla: 289511: CVE-2007-4465 mod_autoindex XSS

Details

The MITRE CVE dictionary describes this issue as:

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Find out more about CVE-2007-4465 from the MITRE CVE dictionary and NIST NVD.

Statement

This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive and are using directory indexes. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4465

Red Hat security errata

Platform Errata Release Date
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (httpd) RHSA-2007:0911 October 25, 2007
Red Hat Application Stack v2 for Enterprise Linux (v.5) (httpd) RHSA-2007:0911 October 25, 2007
Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 August 04, 2010
Red Hat Enterprise Linux version 2.1 (apache) RHSA-2008:0004 January 15, 2008
Red Hat Enterprise Linux version 3 (httpd) RHSA-2008:0005 January 15, 2008
Red Hat Enterprise Linux version 4 (httpd) RHSA-2008:0006 January 15, 2008
Red Hat Enterprise Linux version 5 (httpd) RHSA-2008:0008 January 15, 2008
Red Hat Satellite 5.0 (RHEL v.4 AS) RHSA-2008:0261 May 20, 2008
Red Hat Satellite Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 June 30, 2008
Red Hat Satellite Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523 June 30, 2008
Red Hat Satellite v 4.2 (RHEL v.3 AS) RHSA-2008:0524 June 30, 2008
Red Hat Satellite v 4.2 (RHEL v.4 AS) RHSA-2008:0524 June 30, 2008

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.