GTM-MQNC2Z4
Skip to main content
  1. Home >
  2. Support >
  3. Products >
  4. Software >
  5. Security >
  6. Fujitsu Patch & TA Information >
  7. This page provides Security Information.

Cross Site Scripting (XSS) problem in Interstage HTTP Server(CVE-2007-5000). December 17th, 2008


Notes on using this web page

1. Description

A cross-site scripting vulnerability has been confirmed in the Interstage HTTP Server image map function. This problem falls under CVE-2007-5000.

Fujitsu provides security patches shown in 3. Please apply them as soon as possible.

2. Impact

If this cross-site scripting is used, any script may be executed on the user's Web browser.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Note: The values set in "Workaround" below depend on the product. The symbol in square brackets in 'Products' corresponds to the contents set for iii of "Workaround".

Interstage Application Server
Products Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition V5.0 for Windows [a] Windows F3FMihs TP09823*
Interstage Application Server Standard Edition V5.0 for Windows [a] Windows F3FMihs TP09823*
Interstage Application Server Web-J Edition V5.0 for Windows [a] Windows F3FMihs TP09823*
Interstage Application Server Plus V5.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Plus Developer V5.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition V6.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Plus V6.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Plus Developer V6.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Plus V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Plus Developer V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Enterprise Edition V7.0.1 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Plus V7.0.1 for Windows [a] Windows F3FMihs TP39823*
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Standard-J Edition 8.0.0 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Standard-J Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition 8.0.2 for Windows [a] Windows F3FMihs *
Interstage Application Server Standard-J Edition 8.0.2 for Windows [a] Windows F3FMihs *
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Application Server Standard-J Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Application Server Enterprise Edition V9.0.0A for Windows [b] Windows F3FMihs *
Interstage Application Server Standard-J Edition V9.0.0A for Windows [b] Windows F3FMihs *
Interstage Application Server Enterprise Edition 5.0 [c] Solaris FJSVihs 912327-11*
Interstage Application Server Standard Edition 5.0 [c] Solaris FJSVihs 912327-11*
Interstage Application Server Web-J Edition 5.0 [c] Solaris FJSVihs 912327-11*
Interstage Application Server Enterprise Edition 5.0.1 [c] Solaris FJSVihs *
Interstage Application Server Enterprise Edition 6.0 [c] Solaris FJSVihs T0103S-07*
Interstage Application Server Enterprise Edition 7.0 [c] Solaris FJSVihs T013RS-06*
Interstage Application Server Plus 7.0 [c] Solaris FJSVihs T013RS-06*
Interstage Application Server Enterprise Edition 7.0.1 [c] Solaris FJSVihs T023AS-05*
Interstage Application Server Plus 7.0.1 [c] Solaris FJSVihs T023AS-05*
Interstage Application Server Enterprise Edition 8.0.0 [c] Solaris FJSVihs *
Interstage Application Server Standard-J Edition 8.0.0 [c] Solaris FJSVihs *
Interstage Application Server Enterprise Edition 8.0.2 [c] Solaris FJSVihs *
Interstage Application Server Standard-J Edition 8.0.2 [c] Solaris FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] Solaris FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] Solaris FJSVihs *
Interstage Application Server Enterprise Edition V5.0 [c] Turbolinux 7 Server FJSVihs T00019-10*
Interstage Application Server Standard Edition V5.0 [c] Turbolinux 7 Server FJSVihs T00019-10*
Interstage Application Server Web-J Edition V5.0 [c] Turbolinux 7 Server FJSVihs T00019-10*
Interstage Application Server Enterprise Edition V6.0 [c] RHEL-AS3(x86)/ ES3(x86) FJSVihs *
Interstage Application Server Enterprise Edition V7.0 [c] RHEL-AS3(x86)/ ES3(x86) FJSVihs T00603-05*
Interstage Application Server Plus V7.0 [c] RHEL-AS3(x86)/ ES3(x86) FJSVihs T00603-05*
Interstage Application Server Enterprise Edition V7.0.1 [c] RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs T00603-05*
Interstage Application Server Plus V7.0.1 [c] RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs T00603-05*
Interstage Application Server Enterprise Edition 8.0.0 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Standard-J Edition 8.0.0 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.2 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Standard-J Edition 8.0.2 [c] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL5(x86)/ RHEL5(Intel64) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL-AS4(x86)/ AS4(EM64T) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL5(x86)/ RHEL5(Intel64) FJSVihs *
Interstage Application Server Enterprise Edition V7.0 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.0 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.1 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.2 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Enterprise Edition V9.0.0 [d] RHEL5(IPF) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL-AS4(IPF) FJSVihs *
Interstage Application Server Standard-J Edition V9.0.0 [d] RHEL5(IPF) FJSVihs *
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a] Windows(IPF) F3FMihs *
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b] Windows(IPF) F3FMihs *
Interstage Apworks
Products Target OS Package name Patch ID.
Interstage Apworks Modelers-J Edition V6.0 for Windows [a] Windows F3FMihs *
Interstage Apworks Modelers-J Edition V6.0A for Windows [a] Windows F3FMihs *
Interstage Apworks Modelers-J Edition V7.0 for Windows [a] Windows F3FMihs TP39823*
Interstage Studio
Products Target OS Package name Patch ID.
Interstage Studio Enterprise Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Studio Standard-J Edition 8.0.1 for Windows [a] Windows F3FMihs *
Interstage Studio Enterprise Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Studio Standard-J Edition V9.0.0 for Windows [b] Windows F3FMihs *
Interstage Business Application Server
Products Target OS Package name Patch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 [c] RHEL-AS4(IPF) FJSVihs *
Interstage Job Workload Server
Products Target OS Package name Patch ID.
Interstage Job Workload Server 8.1.0 [c] RHEL-AS4(IPF) FJSVihs *


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).

Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

To avoid the problem, edit the environment definition file (httpd.conf) in one of the following ways. After the file is edited, Interstage HTTP Server must be restarted.

  1. If "imap-file file extension" is set in the AddHandler directive, either delete the AddHandler directive, or add a hash sign (#) at the line head to make it a comment, which will disable the image map function.

    #AddHandler imap-file .map
  2. If i does not work, specify "none" in the ImapMenu directive, which will disable the menu display from the image map function.

    ImapMenu none
  3. If i and ii do not work, set the following expressions for the character encoding of the menu display page. This will reject the specification of inappropriate characters for the map file.
    space
    • Product [a]
      LoadModule rewrite_module modules/mod_rewrite.so

      AddModule mod_rewrite.c
      AddModule mod_imap.c

      AddHandler imap-file .map
      < FilesMatch .*\.map$ >
        AddDefaultCharset Shift_JIS
        RewriteEngine On
        RewriteCond %{REQUEST_URI} .*\.map/.*
        RewriteRule .* - [F]
      < /FilesMatch >
    • Product [b]
      LoadModule imap_module "C:/Interstage/F3FMihs/modules/mod_imap.so"
      LoadModule rewrite_module "C:/Interstage/F3FMihs/modules/mod_rewrite.so"

      AddHandler imap-file .map
      < FilesMatch .*\.map$ >
        AddDefaultCharset Shift_JIS
        RewriteEngine On
        RewriteCond %{REQUEST_URI} .*\.map/.*
        RewriteRule .* - [F]
      < /FilesMatch >
    • Product [c]
      LoadModule rewrite_module    libexec/mod_rewrite.so
      LoadModule imap_module       libexec/mod_imap.so

      AddModule mod_rewrite.c
      AddModule mod_imap.c

      AddHandler imap-file .map
      < FilesMatch .*\.map$ >
        AddDefaultCharset Shift_JIS
        RewriteEngine On
        RewriteCond %{REQUEST_URI} .*\.map/.*
        RewriteRule .* - [F]
      < /FilesMatch >
    • Product [d]
      LoadModule imap_module "/opt/FJSVihs/modules/mod_imap.so"
      LoadModule rewrite_module "/opt/FJSVihs/modules/mod_rewrite.so"

      AddHandler imap-file .map
      < FilesMatch .*\.map$ >
        AddDefaultCharset Shift_JIS
        RewriteEngine On
        RewriteCond %{REQUEST_URI} .*\.map/.*
        RewriteRule .* - [F]
      < /FilesMatch >

Note:

  • Modify the mod_imap.so and mod_rewrite.so paths according to the installation path.
  • Specify the < FilesMatch > directive and RewriteCond directive regular expressions according to the file extension set that is actually used in the map file.
  • In the AddDefaultCharset directive, specify the char set that is actually used in the map file.

4. Related information

CVE-2007-5000
Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000

5. Revision history

  • December 17th, 2008 : 2nd edition
    - described "Patch ID." of "3-2. Affected products and required patch"
    - added the description for the "Note" of "3-2. Affected products and required patch"
    - deleted "FMV series" of "3-1. Affected systems"
  • January 17th, 2008 : Initial release

Services & Products

Corporate Information

Country Selector

Global

Change

World Map