Skip to main content
  1. Home >
  2. Support >
  3. Products >
  4. Software >
  5. Security >
  6. This page provides Security Information.

Interstage HTTP Server: Security vulnerability in the server status monitoring function(CVE-2007-6388). December 17th, 2008


Notes on using this web page

1. Description

The client may connect to an unintended site from the server status monitoring function of Interstage HTTP Server. This vulnerability is detailed in CVE-2007-6388.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

By convincing a victim to visit a malicious unintended site, an attacker is able to go phishing or lead this victim to the site with the Cross Site Scripting (XSS) vulnerability, resulting in the execution of arbitrary script on the victim's Web browser.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Note: The values set in "Workaround" below depend on the product. The symbol in square brackets after 'Product' corresponds to the contents set of "Workaround".

Interstage Application Server
Products Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition V5.0 for Windows [a] Windows F3FMihs TP09823*
Interstage Application Server Standard Edition V5.0 for Windows [a] Windows F3FMihs TP09823*
Interstage Application Server Web-J Edition V5.0 for Windows [a] Windows F3FMihs TP09823*
Interstage Application Server Plus V5.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Plus Developer V5.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition V6.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Plus V6.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Plus Developer V6.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Plus V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Plus Developer V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Enterprise Edition V7.0.1 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Plus V7.0.1 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Standard-J Edition 8.0.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Standard-J Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition 8.0.2 for Windows [a] Windows F3FMihs *
Interstage Application Server Standard-J Edition 8.0.2 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Application Server Standard-J Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Application Server Enterprise Edition V9.0.0A for Windows [b] Windows F3FMihs *
Interstage Application Server Standard-J Edition V9.0.0A for Windows [b] Windows F3FMihs *
Interstage Application Server Enterprise Edition 5.0 [c] Solaris FJSVihs 912327-11*
Interstage Application Server Standard Edition 5.0 [c] Solaris FJSVihs 912327-11*
Interstage Application Server Web-J Edition 5.0 [c] Solaris FJSVihs 912327-11*
Interstage Application Server Enterprise Edition 5.0.1 [c] Solaris FJSVihs *
Interstage Application Server Enterprise Edition 6.0 [c] Solaris FJSVihs T0103S-07*
Interstage Application Server Enterprise Edition 7.0 [c] Solaris FJSVihs T013RS-06*
Interstage Application Server Plus 7.0 [c] Solaris FJSVihs T013RS-06*
Interstage Application Server Enterprise Edition 7.0.1 [c] Solaris FJSVihs T023AS-05*
Interstage Application Server Plus 7.0.1 [c] Solaris FJSVihs T023AS-05*
Interstage Application Server Enterprise Edition 8.0.0 [c] Solaris FJSVihs *
Interstage Application Server Standard-J Edition 8.0.0 [c] Solaris FJSVihs *
Interstage Application Server Enterprise Edition 8.0.2 [c] Solaris FJSVihs *
Interstage Application Server Standard-J Edition 8.0.2 [c] Solaris FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] Solaris FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] Solaris FJSVihs *
Interstage Application Server Enterprise Edition V5.0 [c] Turbolinux 7 Server FJSVihs T00019-10*
Interstage Application Server Standard Edition V5.0 [c] Turbolinux 7 Server FJSVihs T00019-10*
Interstage Application Server Web-J Edition V5.0 [c] Turbolinux 7 Server FJSVihs T00019-10*
Interstage Application Server Enterprise Edition V6.0 [c] RHEL-AS3(x86)/ ES3(x86) FJSVihs *
Interstage Application Server Enterprise Edition V7.0 [c] RHEL-AS3(x86)/ ES3(x86) FJSVihs T00603-05*
Interstage Application Server Plus V7.0 [c] RHEL-AS3(x86)/ ES3(x86) FJSVihs T00603-05*
Interstage Application Server Enterprise Edition V7.0.1 [c] RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs T00603-05*
Interstage Application Server Plus V7.0.1 [c] RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs T00603-05*
Interstage Application Server Enterprise Edition 8.0.0 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Standard-J Edition 8.0.0 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.2 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Standard-J Edition 8.0.2 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL5(x86)/ RHEL5(Intel64) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL5(x86)/ RHEL5(Intel64) FJSVihs *
Interstage Application Server Enterprise Edition V7.0 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.0 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.1 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.2 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL5(IPF) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL5(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a] Windows(IPF) F3FMihs *
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b] Windows(IPF) F3FMihs *
Interstage Apworks
Products Target OS Package name Patch ID.
Interstage Apworks Modelers-J Edition V6.0 for Windows [a] Windows F3FMihs *
Interstage Apworks Modelers-J Edition V6.0A for Windows [a] Windows F3FMihs *
Interstage Apworks Modelers-J Edition V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Studio
Products Target OS Package name Patch ID.
Interstage Studio Enterprise Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Studio Standard-J Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Studio Enterprise Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Studio Standard-J Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Business Application Server
Products Target OS Package name Patch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Job Workload Server
Products Target OS Package name Patch ID.
Interstage Job Workload Server 8.1.0 [c] RHEL-AS4(IPF) FJSVihs *


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).


Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

In the environment definition file (httpd.conf), either delete the directives shown below, or put a hash sign (#) at the start of the line to change it to a comment and so disable the server status monitoring function. Then restart the Web server.

  • Product [a]
    #LoadModule status_module modules/mod_status.so
    #AddModule mod_status.c
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >
  • Product [b]
    #LoadModule status_module "C:/Interstage/F3FMihs/modules/mod_status.so"
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >
  • Product [c]
    #LoadModule status_module libexec/mod_status.so
    #AddModule mod_status.c
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >
  • Product [d]
    #LoadModule status_module "/opt/FJSVihs/modules/mod_status.so"
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >

4. Related information

CVE-2007-6388
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388

5. Revision history

  • December 17th, 2008 : Initial release