CVE-2007-4465

Impact:
Low
Public Date:
2007-09-13
CWE:
CWE-79
Bugzilla:
289511: CVE-2007-4465 mod_autoindex XSS

The MITRE CVE dictionary describes this issue as:

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Find out more about CVE-2007-4465 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive and are using directory indexes. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4465

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite v 4.2 (RHEL v.3 AS) RHSA-2008:0524 2008-06-30
Red Hat Satellite Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523 2008-06-30
Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 2010-08-04
Red Hat Satellite v 4.2 (RHEL v.4 AS) RHSA-2008:0524 2008-06-30
Red Hat Satellite 5.0 (RHEL v.4 AS) RHSA-2008:0261 2008-05-20
Red Hat Enterprise Linux 2.1 (apache) RHSA-2008:0004 2008-01-15
Red Hat Enterprise Linux 4 (httpd) RHSA-2008:0006 2008-01-15
Red Hat Enterprise Linux 3 (httpd) RHSA-2008:0005 2008-01-15
Red Hat Satellite Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 2008-06-30
Red Hat Application Stack v2 for Enterprise Linux (v.5) (httpd) RHSA-2007:0911 2007-10-25
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (httpd) RHSA-2007:0911 2007-10-25
Red Hat Enterprise Linux 5 (httpd) RHSA-2008:0008 2008-01-15
Last Modified

CVE description copyright © 2017, The MITRE Corporation