Interstage HTTP Server: Cross-site Scripting Problem(CVE-2008-2939). January 9th, 2009


Notes on using this web page

1. Description

A cross-site scripting vulnerability problem has been confirmed in the Interstage HTTP Server proxy function. This issue is described in CVE-2008-2939.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

Attackers insert malicious scripts causing, taking over a victim's account or changing user settings, missusing or falsifying cookies, displaying illegal advertisements, etc.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Note: The values set in "Workaround" below depend on the product. The symbol in square brackets after 'Product' corresponds to the contents set of "Workaround".

Interstage Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition V9.0.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Standard-J Edition V9.0.0 for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition V9.0.0A for Windows [a]WindowsF3FMihs*
Interstage Application Server Standard-J Edition V9.0.0A for Windows [a]WindowsF3FMihs*
Interstage Application Server Enterprise Edition V9.1.0 for Windows [a]WindowsF3FMihsT002174WP-01*
Interstage Application Server Standard-J Edition V9.1.0 for Windows [a]WindowsF3FMihsT002174WP-01*
Interstage Application Server Enterprise Edition V9.0.0 [b]SolarisFJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [b]SolarisFJSVihs*
Interstage Application Server Enterprise Edition V9.1.0 [b]SolarisFJSVihsT002180SP-01*
Interstage Application Server Standard-J Edition V9.1.0 [b]SolarisFJSVihsT002180SP-01*
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihs*
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-01*
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-01*
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-01*
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-01*
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0 [b]RHEL5(IPF)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Standard-J Edition V9.0.0 [b]RHEL5(IPF)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0A [b]RHEL-AS4(IPF)FJSVihs*
Interstage Application Server Enterprise Edition V9.0.0A [b]RHEL5(IPF)FJSVihs*
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL-AS4(IPF)FJSVihsT002178QP-01*
Interstage Application Server Enterprise Edition V9.1.0 [b]RHEL5(IPF)FJSVihsT002179QP-01*
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL-AS4(IPF)FJSVihsT002178QP-01*
Interstage Application Server Standard-J Edition V9.1.0 [b]RHEL5(IPF)FJSVihsT002179QP-01*
Interstage Application Server Enterprise Edition V9.0.0 for Windows [a]Windows(IPF)F3FMihs*
Interstage Application Server Standard-J Edition V9.0.0 for Windows [a]Windows(IPF)F3FMihs*
Interstage Application Server Enterprise Edition V9.1.0 for Windows [a]Windows(IPF)F3FMihsT002175IP-01*
Interstage Application Server Standard-J Edition V9.1.0 for Windows [a]Windows(IPF)F3FMihsT002175IP-01*
Interstage Studio
ProductsTarget OSPackage namePatch ID.
Interstage Studio Enterprise Edition V9.0.0 for Windows [a]WindowsF3FMihs*
Interstage Studio Standard-J Edition V9.0.0 for Windows [a]WindowsF3FMihs*
Interstage Studio Enterprise Edition V9.1.0 for Windows [a]WindowsF3FMihsT002174WP-01*
Interstage Studio Standard-J Edition V9.1.0 for Windows [a]WindowsF3FMihsT002174WP-01*


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).


Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

In the environment definition file (httpd.conf), either delete the directives shown below, or put a hash sign (#) at the start of the line to change it to a comment and so disable the proxy function. Then restart the Web server.

  • Product [a]
    #LoadModule proxy_ftp_module "C:/Interstage/F3FMihs/modules/mod_proxy_ftp.so"
  • Product [b]
    #LoadModule proxy_ftp_module "/opt/FJSVihs/modules/mod_proxy_ftp.so"

4. Related information

CVE-2008-2939
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939

5. Revision history

  • January 9th, 2009 : Initial release

Top of Page