Vulnerability Note VU#663763

Apache mod_proxy_ftp XSS vulnerability

Original Release date: 08 Aug 2008 | Last revised: 08 Aug 2008

Overview

The Apache web server mod_proxy_ftp module contains a cross-site scripting (XSS) vulnerability.

Description

The Apache mod_proxy_ftp module allows the Apache web server to act as a proxy for FTP sites. Filename globbing is the process of using wildcards to match filenames. The mod_proxy_ftp module contains an XSS vulnerability that occurs because the module does not properly filter globbed characters in FTP URIs.

Impact

A remote attacker may be able to execute arbitrary Javascript in the context of a site being proxied by the Apache server.

Solution

Upgrade

Apache has released updates to address this issue. These updates are available on the Apache SVN server:
http://svn.apache.org/viewvc?view=rev&revision=682868
http://svn.apache.org/viewvc?view=rev&revision=682870
http://svn.apache.org/viewvc?view=rev&revision=682871

Note that vendors who distribute Apache may not have immediately have a version or update that contains these fixes.

Workarounds

  • Mozilla Firefox users can use the NoScript extension to keep Javascript from running in untrusted domains.
  • Application firewalls and IPS systems may be able to block certain types of XSS attacks at the network perimeter.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apache HTTP Server ProjectAffected-08 Aug 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Rapid7 and Apache for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2008-2939
  • Date Public: 06 Aug 2008
  • Date First Published: 08 Aug 2008
  • Date Last Updated: 08 Aug 2008
  • Severity Metric: 2.70
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.