Interstage HTTP Server: Cross-site Scripting Problem (CVE-2007-4465/ CVE-2007-6203). December 15th, 2008

---

Notes on using this web page

1. Description

• Problem 1)
  A cross-site scripting vulnerability problem has been confirmed in the Interstage HTTP Server directory list automatic generation function.
  This issue is described in CVE-2007-4465.
• Problem 2)
  A cross-site scripting vulnerability problem has been confirmed in the Interstage HTTP Server status code 413 response processing.
  This issue is described in CVE-2007-6203.

For details on how to avoid the problem please refer to the following section 3-3.

2. Impact

Attackers insert malicious scripts causing, taking over a victim's account or changing user settings, missusing or falsifying cookies, displaying illegal advertisements, etc.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Note: The values set in "Workaround" below depend on the product. The symbol in square brackets after 'Product' corresponds to the contents set of "Workaround".

* You can avoid this vulnerability by the coping in "3-3. Workaround" below.

Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

• Problem 1)
  To avoid the problem, edit the environment definition file (httpd.conf) in one of the following ways. After the file is edited, Interstage HTTP Server must be restarted.
  
  • 1-1)
    If "Indexes" has been set in Options directive, the automatic directory list generation function is disabled by deleting "Indexes".
  • 1-2)
    Avoid the problem by setting the explicit contents character set.
    
    Example:
    If the contents type is text/plain or text/html and the character set of the contents is UTF-8, set utf-8 in the AddDefaultCharset directive.
    Specification example: AddDefaultCharset utf-8
    
    Note:
    In environments in which multiple contents character sets are mixed together, characters may be garbled. In this case, avoid the problem by following the procedure in 1-1).
• Problem 2)
  Avoid the problem by editing the environment definition file (httpd.conf) with the following method and setting the error message of the status code 413 to a text message. After editing the file, Interstage HTTP Server must be restarted.
  
  • For [a] products:
    Specify the text message after double quotation marks (").
    Specification example: ErrorDocument 413 "413 Request Entity Too Large
  • For [b] products:
    Enclose the text message in double quotation marks (").
    Specification example: ErrorDocument 413 "413 Request Entity Too Large"

4. Related information

• CVE-2007-4465
  Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
• CVE-2007-6203
  Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203

5. Revision history

• December 15th, 2008 : Initial release