Interstage HTTP Server: Cross-site Scripting Problem (CVE-2007-4465/ CVE-2007-6203). July 27th, 2010


Notes on using this web page

1. Description

  • Problem 1)
    A cross-site scripting vulnerability problem has been confirmed in the Interstage HTTP Server directory list automatic generation function.
    This issue is described in CVE-2007-4465.

    Fujitsu provides the workaround shown in 3-3.
    Please apply them as soon as possible.
  • Problem 2)
    A cross-site scripting vulnerability problem has been confirmed in the Interstage HTTP Server status code 413 response processing.
    This issue is described in CVE-2007-6203.

    Fujitsu provides security patches shown in 3-2.
    Please apply the patch as soon as possible.
    For the product without the patch apply the workaround shown in 3-3.

2. Impact

Attackers insert malicious scripts causing, taking over a victim's account or changing user settings, missusing or falsifying cookies, displaying illegal advertisements, etc.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Note: The values set in "Workaround" below depend on the product. The symbol in square brackets after 'Product' corresponds to the contents set of "Workaround".

Interstage Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition V5.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Standard Edition V5.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Web-J Edition V5.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus V5.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus Developer V5.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition V6.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus V6.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus Developer V6.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition V7.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus V7.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus Developer V7.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition V7.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Plus V7.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Standard-J Edition 8.0.0 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition 8.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Standard-J Edition 8.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition 8.0.2 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Standard-J Edition 8.0.2 for Windows [a]WindowsF3FMihsNone*
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Application Server Standard-J Edition V9.0.0 for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Application Server Enterprise Edition V9.0.0A for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Application Server Standard-J Edition V9.0.0A for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Application Server Standard-J Edition V9.0.0B for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Application Server Enterprise Edition V9.1.0 for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Application Server Standard-J Edition V9.1.0 for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Application Server Enterprise Edition V9.1.0B for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Application Server Standard-J Edition V9.1.0B for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Application Server Enterprise Edition V9.2.0 for Windows [b]WindowsF3FMihsT004344WP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 for Windows [b]WindowsF3FMihsT004344WP-01(note)
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a]Windows(IPF)F3FMihsNone*
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b]Windows(IPF)F3FMihsT001005IP-03(note)
Interstage Application Server Standard-J Edition V9.0.0 for Windows [b]Windows(IPF)F3FMihsT001005IP-03(note)
Interstage Application Server Enterprise Edition V9.1.0 for Windows [b]Windows(IPF)F3FMihsT002175IP-02(note)
Interstage Application Server Standard-J Edition V9.1.0 for Windows [b]Windows(IPF)F3FMihsT002175IP-02(note)
Interstage Application Server Enterprise Edition V9.2.0 for Windows [b]Windows(IPF)F3FMihsT004345IP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 for Windows [b]Windows(IPF)F3FMihsT004345IP-01(note)
Interstage Application Server Enterprise Edition V9.2.0 for Windows [b]Windows(EM64T)F3FMihsT004346XP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 for Windows [b]Windows(EM64T)F3FMihsT004346XP-01(note)
Interstage Application Server Enterprise Edition 5.0 [a]SolarisFJSVihsNone*
Interstage Application Server Standard Edition 5.0 [a]SolarisFJSVihsNone*
Interstage Application Server Web-J Edition 5.0 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition 5.0.1 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition 6.0 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition 7.0 [a]SolarisFJSVihsNone*
Interstage Application Server Plus 7.0 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition 7.0.1 [a]SolarisFJSVihsNone*
Interstage Application Server Plus 7.0.1 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.0 [a]SolarisFJSVihsNone*
Interstage Application Server Standard-J Edition 8.0.0 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.2 [a]SolarisFJSVihsNone*
Interstage Application Server Standard-J Edition 8.0.2 [a]SolarisFJSVihsNone*
Interstage Application Server Enterprise Edition V9.0.0 [b]SolarisFJSVihsT001004SP-05(note)
Interstage Application Server Standard-J Edition V9.0.0 [b]SolarisFJSVihsT001004SP-05(note)
Interstage Application Server Enterprise Edition V9.0.0B [b]SolarisFJSVihsT001004SP-05(note)
Interstage Application Server Enterprise Edition V9.1.0 [b]SolarisFJSVihsT002180SP-03(note)
Interstage Application Server Standard-J Edition V9.1.0 [b]SolarisFJSVihsT002180SP-03(note)
Interstage Application Server Enterprise Edition V9.1.0B [b]SolarisFJSVihsT002180SP-03(note)
Interstage Application Server Standard-J Edition V9.1.0B [b]SolarisFJSVihsT002180SP-03(note)
Interstage Application Server Enterprise Edition V9.2.0 [b]SolarisFJSVihsT004343SP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 [b]SolarisFJSVihsT004343SP-01(note)
Interstage Application Server Enterprise Edition V5.0 [a]Turbolinux 7 ServerFJSVihsNone*
Interstage Application Server Standard Edition V5.0 [a]Turbolinux 7 ServerFJSVihsNone*
Interstage Application Server Web-J Edition V5.0 [a]Turbolinux 7 ServerFJSVihsNone*
Interstage Application Server Enterprise Edition V6.0 [a]RHEL-AS3(x86)/ ES3(x86)FJSVihsNone*
Interstage Application Server Enterprise Edition V7.0 [a]RHEL-AS3(x86)/ ES3(x86)FJSVihsNone*
Interstage Application Server Plus V7.0 [a]RHEL-AS3(x86)/ ES3(x86)FJSVihsNone*
Interstage Application Server Enterprise Edition V7.0.1 [a]RHEL-AS3(x86)/ ES3(x86)/ AS4(x86)FJSVihsNone*
Interstage Application Server Plus V7.0.1 [a]RHEL-AS3(x86)/ ES3(x86)/ AS4(x86)FJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.0 [a]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsNone*
Interstage Application Server Standard-J Edition 8.0.0 [a]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.2 [a]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsNone*
Interstage Application Server Standard-J Edition 8.0.2 [a]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsNone*
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT001003LP-03(note)
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT001044LP-03(note)
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT001003LP-03(note)
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT001044LP-03(note)
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-02(note)
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-02(note)
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-02(note)
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-02(note)
Interstage Application Server Enterprise Edition V9.1.0B [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-02(note)
Interstage Application Server Enterprise Edition V9.1.0B [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-02(note)
Interstage Application Server Standard-J Edition V9.1.0B [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-02(note)
Interstage Application Server Standard-J Edition V9.1.0B [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-02(note)
Interstage Application Server Enterprise Edition V9.2.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT004338LP-01(note)
Interstage Application Server Enterprise Edition V9.2.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT004338LP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-01(note)
Interstage Application Server Enterprise Edition V7.0 [a]RHEL-AS4(IPF)FJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.0 [a]RHEL-AS4(IPF)FJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.1 [a]RHEL-AS4(IPF)FJSVihsNone*
Interstage Application Server Enterprise Edition 8.0.2 [a]RHEL-AS4(IPF)FJSVihsNone*
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL-AS4(IPF)FJSVihsT001002QP-03(note)
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL5(IPF)FJSVihsT001043QP-03(note)
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL-AS4(IPF)FJSVihsT001002QP-03(note)
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL5(IPF)FJSVihsT001043QP-03(note)
Interstage Application Server Enterprise Edition V9.0.0A [b]RHEL-AS4(IPF)FJSVihsT001002QP-03(note)
Interstage Application Server Enterprise Edition V9.0.0A [b]RHEL5(IPF)FJSVihsT001043QP-03(note)
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL-AS4(IPF)FJSVihsT002178QP-02(note)
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL5(IPF)FJSVihsT002179QP-02(note)
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL-AS4(IPF)FJSVihsT002178QP-02(note)
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL5(IPF)FJSVihsT002179QP-02(note)
Interstage Application Server Enterprise Edition V9.2.0 [b]RHEL-AS4(IPF)FJSVihsT004340QP-01(note)
Interstage Application Server Enterprise Edition V9.2.0 [b]RHEL5(IPF)FJSVihsT004341QP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 [b]RHEL-AS4(IPF)FJSVihsT004340QP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 [b]RHEL5(IPF)FJSVihsT004341QP-01(note)
Interstage Application Server Enterprise Edition V9.2.0 [b]RHEL5(Intel64)FJSVihsT004342LP-01(note)
Interstage Application Server Standard-J Edition V9.2.0 [b]RHEL5(Intel64)FJSVihsT004342LP-01(note)
Interstage Apworks
ProductsTarget OSPackage namePatch ID.
Interstage Apworks Modelers-J Edition V6.0 for Windows [a]WindowsF3FMihsNone*
Interstage Apworks Modelers-J Edition V6.0A for Windows [a]WindowsF3FMihsNone*
Interstage Apworks Modelers-J Edition V7.0 for Windows [a]WindowsF3FMihsNone*
Interstage Studio
ProductsTarget OSPackage namePatch ID.
Interstage Studio Enterprise Edition 8.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Studio Standard-J Edition 8.0.1 for Windows [a]WindowsF3FMihsNone*
Interstage Studio Enterprise Edition V9.0.0 for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Studio Standard-J Edition V9.0.0 for Windows [b]WindowsF3FMihsT001001WP-04(note)
Interstage Studio Enterprise Edition V9.1.0 for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Studio Standard-J Edition V9.1.0 for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Studio Enterprise Edition V9.1.0B for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Studio Standard-J Edition V9.1.0B for Windows [b]WindowsF3FMihsT002174WP-02(note)
Interstage Studio Enterprise Edition V9.2.0 for Windows [b]WindowsF3FMihsT004344WP-01(note)
Interstage Studio Standard-J Edition V9.2.0 for Windows [b]WindowsF3FMihsT004344WP-01(note)
Interstage Business Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 [a]RHEL-AS4(IPF)FJSVihsNone*
Interstage Job Workload Server
ProductsTarget OSPackage namePatch ID.
Interstage Job Workload Server 8.1.0 [a]RHEL-AS4(IPF)FJSVihsNone*


* You can avoid this vulnerability by the coping in "3-3. Workaround" below.


(note) These patches only address "Problem 2" shown in "1. Description". Therefore please apply the workaround shown in "3-3. Workaround" for "Problem 1".

Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

  • Problem 1)
    To avoid the problem, edit the environment definition file (httpd.conf) in one of the following ways. After the file is edited, Interstage HTTP Server must be restarted.
    • 1-1)
      If "Indexes" has been set in Options directive, the automatic directory list generation function is disabled by deleting "Indexes".
    • 1-2)
      Avoid the problem by setting the explicit contents character set.

      Example:
      If the contents type is text/plain or text/html and the character set of the contents is UTF-8, set utf-8 in the AddDefaultCharset directive.
      Specification example: AddDefaultCharset utf-8

      Note:
      In environments in which multiple contents character sets are mixed together, characters may be garbled. In this case, avoid the problem by following the procedure in 1-1).
  • Problem 2)
    Avoid the problem by editing the environment definition file (httpd.conf) with the following method and setting the error message of the status code 413 to a text message. After editing the file, Interstage HTTP Server must be restarted.
    • For [a] products:
      Specify the text message after double quotation marks (").
      Specification example: ErrorDocument 413 "413 Request Entity Too Large
    • For [b] products:
      Enclose the text message in double quotation marks (").
      Specification example: ErrorDocument 413 "413 Request Entity Too Large"

4. Related information

  • CVE-2007-4465
    Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
  • CVE-2007-6203
    Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203

5. Revision history

  • July 27th, 2010: 2nd edition
    • The counter-action method in "1. Description" has been changed.
    • Some patch ids have been added to "3-2. Affected products and required patch".
    • The following products have been added to "3-2. Affected products and required patch":
      Interstage Application Server Standard-J Edition V9.0.0 Windows(IPF)
      Interstage Application Server Enterprise Edition V9.0.0A RHEL-AS4(IPF)
      Interstage Application Server Enterprise Edition V9.0.0A RHEL5(IPF)
      Interstage Application Server Enterprise Edition V9.0.0B
      Interstage Application Server Standard-J Edition V9.0.0B
      Interstage Application Server Enterprise Edition V9.1.0B
      Interstage Application Server Standard-J Edition V9.1.0B
      Interstage Application Server Enterprise Edition V9.2.0
      Interstage Application Server Standard-J Edition V9.2.0
  • December 15th, 2008 : Initial release

Top of Page