Interstage HTTP Server: Security vulnerability in the server status monitoring function(CVE-2007-6388). December 17th, 2008


Notes on using this web page

1. Description

The client may connect to an unintended site from the server status monitoring function of Interstage HTTP Server. This vulnerability is detailed in CVE-2007-6388.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

By convincing a victim to visit a malicious unintended site, an attacker is able to go phishing or lead this victim to the site with the Cross Site Scripting (XSS) vulnerability, resulting in the execution of arbitrary script on the victim's Web browser.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Note: The values set in "Workaround" below depend on the product. The symbol in square brackets after 'Product' corresponds to the contents set of "Workaround".

Interstage Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition V5.0 for Windows [a]WindowsF3FMihsTP09823*
Interstage Application Server Standard Edition V5.0 for Windows [a]WindowsF3FMihsTP09823*
Interstage Application Server Web-J Edition V5.0 for Windows [a]WindowsF3FMihsTP09823*
Interstage Application Server Plus V5.0.1 for Windows [a]WindowsF3FMihs*
Interstage Application Server Plus Developer V5.0.1 for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition V6.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Plus V6.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Plus Developer V6.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition V7.0 for Windows [a]WindowsF3FMihsTP39823*
Interstage Application Server Plus V7.0 for Windows [a]WindowsF3FMihsTP39823*
Interstage Application Server Plus Developer V7.0 for Windows [a]WindowsF3FMihsTP39823*
Interstage Application Server Enterprise Edition V7.0.1 for Windows [a]WindowsF3FMihsTP39823*
Interstage Application Server Plus V7.0.1 for Windows [a]WindowsF3FMihsTP39823*
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Standard-J Edition 8.0.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition 8.0.1 for Windows [a]WindowsF3FMihs*
Interstage Application Server Standard-J Edition 8.0.1 for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition 8.0.2 for Windows [a]WindowsF3FMihs*
Interstage Application Server Standard-J Edition 8.0.2 for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b]WindowsF3FMihs*
Interstage Application Server Standard-J Edition V9.0.0 for Windows [b]WindowsF3FMihs*
Interstage Application Server Enterprise Edition V9.0.0A for Windows [b]WindowsF3FMihs*
Interstage Application Server Standard-J Edition V9.0.0A for Windows [b]WindowsF3FMihs*
Interstage Application Server Enterprise Edition 5.0 [c]SolarisFJSVihs912327-11*
Interstage Application Server Standard Edition 5.0 [c]SolarisFJSVihs912327-11*
Interstage Application Server Web-J Edition 5.0 [c]SolarisFJSVihs912327-11*
Interstage Application Server Enterprise Edition 5.0.1 [c]SolarisFJSVihs*
Interstage Application Server Enterprise Edition 6.0 [c]SolarisFJSVihsT0103S-07*
Interstage Application Server Enterprise Edition 7.0 [c]SolarisFJSVihsT013RS-06*
Interstage Application Server Plus 7.0 [c]SolarisFJSVihsT013RS-06*
Interstage Application Server Enterprise Edition 7.0.1 [c]SolarisFJSVihsT023AS-05*
Interstage Application Server Plus 7.0.1 [c]SolarisFJSVihsT023AS-05*
Interstage Application Server Enterprise Edition 8.0.0 [c]SolarisFJSVihs*
Interstage Application Server Standard-J Edition 8.0.0 [c]SolarisFJSVihs*
Interstage Application Server Enterprise Edition 8.0.2 [c]SolarisFJSVihs*
Interstage Application Server Standard-J Edition 8.0.2 [c]SolarisFJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [d]SolarisFJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [d]SolarisFJSVihs*
Interstage Application Server Enterprise Edition V5.0 [c]Turbolinux 7 ServerFJSVihsT00019-10*
Interstage Application Server Standard Edition V5.0 [c]Turbolinux 7 ServerFJSVihsT00019-10*
Interstage Application Server Web-J Edition V5.0 [c]Turbolinux 7 ServerFJSVihsT00019-10*
Interstage Application Server Enterprise Edition V6.0 [c]RHEL-AS3(x86)/ ES3(x86)FJSVihs*
Interstage Application Server Enterprise Edition V7.0 [c]RHEL-AS3(x86)/ ES3(x86)FJSVihsT00603-05*
Interstage Application Server Plus V7.0 [c]RHEL-AS3(x86)/ ES3(x86)FJSVihsT00603-05*
Interstage Application Server Enterprise Edition V7.0.1 [c]RHEL-AS3(x86)/ ES3(x86)/ AS4(x86)FJSVihsT00603-05*
Interstage Application Server Plus V7.0.1 [c]RHEL-AS3(x86)/ ES3(x86)/ AS4(x86)FJSVihsT00603-05*
Interstage Application Server Enterprise Edition 8.0.0 [c]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Standard-J Edition 8.0.0 [c]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Enterprise Edition 8.0.2 [c]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Standard-J Edition 8.0.2 [c]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [d]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [d]RHEL5(x86)/ RHEL5(Intel64)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [d]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [d]RHEL5(x86)/ RHEL5(Intel64)FJSVihs*
Interstage Application Server Enterprise Edition V7.0 [c]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition 8.0.0 [c]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition 8.0.1 [c]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition 8.0.2 [c]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [d]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [d]RHEL5(IPF)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [d]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [d]RHEL5(IPF)FJSVihs*
Interstage Application Server Enterprise Edition 8.0.0 for Windows [a]Windows(IPF)F3FMihs*
Interstage Application Server Enterprise Edition V9.0.0 for Windows [b]Windows(IPF)F3FMihs*
Interstage Apworks
ProductsTarget OSPackage namePatch ID.
Interstage Apworks Modelers-J Edition V6.0 for Windows [a]WindowsF3FMihs*
Interstage Apworks Modelers-J Edition V6.0A for Windows [a]WindowsF3FMihs*
Interstage Apworks Modelers-J Edition V7.0 for Windows [a]WindowsF3FMihsTP39823*
Interstage Studio
ProductsTarget OSPackage namePatch ID.
Interstage Studio Enterprise Edition 8.0.1 for Windows [a]WindowsF3FMihs*
Interstage Studio Standard-J Edition 8.0.1 for Windows [a]WindowsF3FMihs*
Interstage Studio Enterprise Edition V9.0.0 for Windows [b]WindowsF3FMihs*
Interstage Studio Standard-J Edition V9.0.0 for Windows [b]WindowsF3FMihs*
Interstage Business Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 [c]RHEL-AS4(IPF)FJSVihs*
Interstage Job Workload Server
ProductsTarget OSPackage namePatch ID.
Interstage Job Workload Server 8.1.0 [c]RHEL-AS4(IPF)FJSVihs*


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).


Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

In the environment definition file (httpd.conf), either delete the directives shown below, or put a hash sign (#) at the start of the line to change it to a comment and so disable the server status monitoring function. Then restart the Web server.

  • Product [a]
    #LoadModule status_module modules/mod_status.so
    #AddModule mod_status.c
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >
  • Product [b]
    #LoadModule status_module "C:/Interstage/F3FMihs/modules/mod_status.so"
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >
  • Product [c]
    #LoadModule status_module libexec/mod_status.so
    #AddModule mod_status.c
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >
  • Product [d]
    #LoadModule status_module "/opt/FJSVihs/modules/mod_status.so"
    #ExtendedStatus On
    #< Location /server-status >
    #    SetHandler server-status
    #    .
    #    .
    #    .
    #< /Location >

4. Related information

CVE-2007-6388
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388

5. Revision history

  • December 17th, 2008 : Initial release

Top of Page