JVNDB-2007-000819

Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap"

mod_imap and mod_imagemap modules of the Apache HTTP Server are vulnerable to cross-site scripting.

The Apache HTTP Server is open source web server software. The Apache HTTP Server modules mod_imap and mod_imagemap provide server-side imagemap processing capability.
The Apache HTTP Server modules mod_imap and mod_imagemap are vulnerable to cross-site scripting.

Apache Software Foundation

• Apache HTTP Server 2.2.6 and earlier
• Apache HTTP Server 2.0.61 and earlier
• Apache HTTP Server 1.3.39 and earlier

IBM Corporation

• IBM HTTP Server 6.0.2.27
• IBM HTTP Server 6.1.0.15
• IBM HTTP Server 2.0.47.1
• IBM HTTP Server 1.3.28.1

Apple Inc.

• Apple Mac OS X v10.4.11
• Apple Mac OS X v10.5.2
• Apple Mac OS X Server v10.4.11
• Apple Mac OS X Server v10.5.2

Oracle Corporation

• Oracle HTTP Server 10.1.3.5.0

Cybertrust Japan Co., Ltd.

• Asianux Server 3 (x86)
• Asianux Server 3 (x86-64)
• Asianux Server 2.0
• Asianux Server 2.1
• Asianux Server 3.0
• Asianux Server 3.0 (x86-64)
• Asianux Server 4.0
• Asianux Server 4.0 (x86-64)

Sun Microsystems, Inc.

• Sun Solaris 10 (sparc)
• Sun Solaris 10 (x86)
• Sun Solaris 8 (sparc)
• Sun Solaris 8 (x86)
• Sun Solaris 9 (sparc)
• Sun Solaris 9 (x86)

Turbolinux, Inc.

• Turbolinux Appliance Server 1.0 (hosting)
• Turbolinux Appliance Server 1.0 (workgroup)
• Turbolinux Appliance Server 2.0
• Turbolinux FUJI
• Turbolinux Multimedia
• Turbolinux Personal
• Turbolinux Server 10
• Turbolinux Server 10 (x64)
• Turbolinux Server 11
• Turbolinux Server 11 (x64)
• Turbolinux Server 8

Hewlett-Packard Development Company,L.P

• HP-UX 11.11
• HP-UX 11.23
• HP-UX 11.31

Red Hat, Inc.

• Red Hat Application Stack v1 for Enterprise Linux AS (v.4)
• Red Hat Application Stack v1 for Enterprise Linux ES (v.4)
• Red Hat Enterprise Linux 5 (server)
• Red Hat Enterprise Linux 2.1 (as)
• Red Hat Enterprise Linux 3 (as)
• Red Hat Enterprise Linux 4 (as)
• Red Hat Enterprise Linux 2.1 (es)
• Red Hat Enterprise Linux 3 (es)
• Red Hat Enterprise Linux 4 (es)
• Red Hat Enterprise Linux 2.1 (ws)
• Red Hat Enterprise Linux 3 (ws)
• Red Hat Enterprise Linux 4 (ws)
• Red Hat Enterprise Linux Desktop 3.0
• Red Hat Enterprise Linux Desktop 4.0
• Red Hat Enterprise Linux Desktop 5.0 (client)
• Red Hat Linux Advanced Workstation 2.1
• RHEL Desktop Workstation 5 (client)

NEC Corporation

• WanBooster

Hitachi, Ltd

• Cosminexus Application Server Enterprise Version 6
• Cosminexus Application Server Standard Version 6
• Cosminexus Application Server Version 5
• Cosminexus Developer Professional Version 6
• Cosminexus Developer Standard Version 6
• Cosminexus Developer Light Version 6
• Cosminexus Developer Version 5
• Cosminexus Server Standard Edition Version 4
• Cosminexus Server Web Edition Version 4
• Cosminexus Server Enterprise Edition
• Cosminexus Server Standard Edition
• Cosminexus Server Web Edition
• Hitachi Web Server
• uCosminexus Application Server Enterprise
• uCosminexus Application Server Standard
• uCosminexus Developer Professional
• uCosminexus Developer Standard
• uCosminexus Developer Light
• uCosminexus Service Platform
• uCosminexus Service Architect

FUJITSU

• Interstage Application Framework Suite
• Interstage Application Server
• Interstage Apworks
• Interstage Business Application Server
• Interstage Job Workload Server
• Interstage Studio
• Interstage Web Server
• Systemwalker Resource Coordinator

An arbitrary script can be executed on the user's web browser.

[Apply the Patch]
Apply the appropriate patches according to the information provided by the vendors.

[Workarounds]
Use client-side image mapping instead of server-side image mapping.

Apache Software Foundation

• Apache httpd 1.3 vulnerabilities : Fixed in Apache httpd 1.3.41
• Apache httpd 2.0 vulnerabilities : Fixed in Apache httpd 2.0.63
• Apache httpd 2.2 vulnerabilities : Fixed in Apache httpd 2.2.8
• Apache-SVN : Revision 603282

IBM Corporation

• IBM Support Document : PK58024
• IBM Support Document : 7008517
• IBM Support Document : PK63273
• IBM Support Document : 7005198
• IBM Support Document : 7007033
• IBM Support Document : 4019245
• IBM Support Document : PK65782

Apple Inc.

• Apple Security Updates : Security Update 2008-002
• Apple Security Updates : Security Update 2008-003

Oracle Corporation

• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2013
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices
• SECURITY BLOG : July 2013 Critical Patch Update Released

Cybertrust Japan Co., Ltd.

• Asianux Technical Support Network : httpd-2.2.3-11.3.1AX (Japanese)
• MIRACLE LINUX Update Information : 1205 (Japanese)
• MIRACLE LINUX Update Information : 1224 (Japanese)
• MIRACLE LINUX Update Information : 1221 (Japanese)

Sun Microsystems, Inc.

• Sun Alert Notification : 233623

Turbolinux, Inc.

• Turbolinux Security Advisory : TLSA-2007-56

Hewlett-Packard Development Company,L.P

• HP Security Bulletin : HPSBUX02308

Red Hat, Inc.

• Red Hat Security Advisory : RHSA-2008:0004
• Red Hat Security Advisory : RHSA-2008:0005
• Red Hat Security Advisory : RHSA-2008:0006
• Red Hat Security Advisory : RHSA-2008:0007
• Red Hat Security Advisory : RHSA-2008:0008

NEC Corporation

• NEC Security Information : NV07-013 (Japanese)

Hitachi, Ltd

• Hitachi Software Vulnerability Information : HS07-042

FUJITSU

• FUJITSU Security Information : interstage_as_200801
• FUJITSU Security Information : JVN#80057925

1. Cross-site Scripting(CWE-79) [NVD Evaluation]

1. CVE-2007-5000

1. JVN : JVN#80057925
2. JVN Status Tracking Notes : TRTA08-079A
3. JVN Status Tracking Notes : TRTA08-150A
4. National Vulnerability Database (NVD) : CVE-2007-5000
5. Secunia Advisory : SA28046
6. Secunia Advisory : SA28073
7. FrSIRT Advisories : FrSIRT/ADV-2007-4201
8. FrSIRT Advisories : FrSIRT/ADV-2007-4202

• [2008年05月21日]
  Web page published
  [2008年06月09日]
  Affected Products : Added Apple Inc (Security Update 2008-002).
  Affected Products : Sun Microsystems, Inc (233623).
  Affected Products : Added IBM Corporation (4019245).
  Vendor Information : Added Apple Inc (Security Update 2008-002).
  Vendor Information : Added Sun Microsystems, Inc (233623).
  Vendor Information : Added IBM Corporation.
  7005198
  7007033
  4019245
  PK65782
  [2008年06月18日]
  Vendor Information : Added Apple Inc (Security Update 2008-002).
  [2009年08月10日]
  Affected Products : Updated NEC Corporation (NV07-013).
  [2013年07月18日]
  Affected Products : Product of Oracle was added.
  Vendor Information : Contents of Oracle were added.