Interstage HTTP Server: Cross-site Scripting Problem(CVE-2008-2939). January 9th, 2009
1. Description
A cross-site scripting vulnerability problem has been confirmed in the Interstage HTTP Server proxy function. This issue is described in CVE-2008-2939.
Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.
2. Impact
Attackers insert malicious scripts causing, taking over a victim's account or changing user settings, missusing or falsifying cookies, displaying illegal advertisements, etc.
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise
3-2. Affected products and required patch
Note: The values set in "Workaround" below depend on the product. The symbol in square brackets after 'Product' corresponds to the contents set of "Workaround".
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Application Server Enterprise Edition V9.0.0 for Windows [a] | Windows | F3FMihs | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows [a] | Windows | F3FMihs | * |
Interstage Application Server Enterprise Edition V9.0.0A for Windows [a] | Windows | F3FMihs | * |
Interstage Application Server Standard-J Edition V9.0.0A for Windows [a] | Windows | F3FMihs | * |
Interstage Application Server Enterprise Edition V9.1.0 for Windows [a] | Windows | F3FMihs | T002174WP-01* |
Interstage Application Server Standard-J Edition V9.1.0 for Windows [a] | Windows | F3FMihs | T002174WP-01* |
Interstage Application Server Enterprise Edition V9.0.0 [b] | Solaris | FJSVihs | * |
Interstage Application Server Standard-J Edition V9.0.0 [b] | Solaris | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.1.0 [b] | Solaris | FJSVihs | T002180SP-01* |
Interstage Application Server Standard-J Edition V9.1.0 [b] | Solaris | FJSVihs | T002180SP-01* |
Interstage Application Server Enterprise Edition V9.0.0 [b] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.0.0 [b] | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | * |
Interstage Application Server Standard-J Edition V9.0.0 [b] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
Interstage Application Server Standard-J Edition V9.0.0 [b] | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.1.0 [b] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T002176LP-01* |
Interstage Application Server Enterprise Edition V9.1.0 [b] | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T002177LP-01* |
Interstage Application Server Standard-J Edition V9.1.0 [b] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T002176LP-01* |
Interstage Application Server Standard-J Edition V9.1.0 [b] | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T002177LP-01* |
Interstage Application Server Enterprise Edition V9.0.0 [b] | RHEL-AS4(IPF) | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.0.0 [b] | RHEL5(IPF) | FJSVihs | * |
Interstage Application Server Standard-J Edition V9.0.0 [b] | RHEL-AS4(IPF) | FJSVihs | * |
Interstage Application Server Standard-J Edition V9.0.0 [b] | RHEL5(IPF) | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.0.0A [b] | RHEL-AS4(IPF) | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.0.0A [b] | RHEL5(IPF) | FJSVihs | * |
Interstage Application Server Enterprise Edition V9.1.0 [b] | RHEL-AS4(IPF) | FJSVihs | T002178QP-01* |
Interstage Application Server Enterprise Edition V9.1.0 [b] | RHEL5(IPF) | FJSVihs | T002179QP-01* |
Interstage Application Server Standard-J Edition V9.1.0 [b] | RHEL-AS4(IPF) | FJSVihs | T002178QP-01* |
Interstage Application Server Standard-J Edition V9.1.0 [b] | RHEL5(IPF) | FJSVihs | T002179QP-01* |
Interstage Application Server Enterprise Edition V9.0.0 for Windows [a] | Windows(IPF) | F3FMihs | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows [a] | Windows(IPF) | F3FMihs | * |
Interstage Application Server Enterprise Edition V9.1.0 for Windows [a] | Windows(IPF) | F3FMihs | T002175IP-01* |
Interstage Application Server Standard-J Edition V9.1.0 for Windows [a] | Windows(IPF) | F3FMihs | T002175IP-01* |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Studio Enterprise Edition V9.0.0 for Windows [a] | Windows | F3FMihs | * |
Interstage Studio Standard-J Edition V9.0.0 for Windows [a] | Windows | F3FMihs | * |
Interstage Studio Enterprise Edition V9.1.0 for Windows [a] | Windows | F3FMihs | T002174WP-01* |
Interstage Studio Standard-J Edition V9.1.0 for Windows [a] | Windows | F3FMihs | T002174WP-01* |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.
3-3. Workaround
In the environment definition file (httpd.conf), either delete the directives shown below, or put a hash sign (#) at the start of the line to change it to a comment and so disable the proxy function. Then restart the Web server.
- Product [a]
#LoadModule proxy_ftp_module "C:/Interstage/F3FMihs/modules/mod_proxy_ftp.so" - Product [b]
#LoadModule proxy_ftp_module "/opt/FJSVihs/modules/mod_proxy_ftp.so"
4. Related information
CVE-2008-2939
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
5. Revision history
- January 9th, 2009 : Initial release