National Cyber-Alert System
Vulnerability Summary for CVE-2008-2939
Original release date:08/06/2008
Last revised:07/06/2011
Source:
US-CERT/NIST
Overview
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
Impact
CVSS Severity (version 2.0):
Impact Subscore:
2.9
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows unauthorized modification
Official Statement from Red Hat (11/12/2008)
These issue was addressed in all affected httpd versions as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0967.html
This issue is tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2939
The Red Hat Security Response Team has rated this issue as having low security impact, future updates may address this flaw in other affected products (such as Red Hat Application Stack).
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
US-CERT Technical Alert: TA09-133A
Name: TA09-133A
US-CERT Vulnerability Note: VU#663763
Name: VU#663763
External Source: XF
Name: apache-modproxyftp-xss(44223)
External Source: VUPEN
Name: ADV-2009-1297
External Source: VUPEN
Name: ADV-2009-0320
External Source: VUPEN
Name: ADV-2008-2461
External Source: VUPEN
Name: ADV-2008-2315
External Source: UBUNTU
Name: USN-731-1
External Source: SECTRACK
Name: 1020635
External Source: BID
Name: 30560
External Source: BUGTRAQ
Name: 20081122 rPSA-2008-0328-1 httpd mod_ssl
External Source: BUGTRAQ
Name: 20081122 rPSA-2008-0327-1 httpd mod_ssl
External Source: BUGTRAQ
Name: 20080806 Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
External Source: REDHAT
Name: RHSA-2008:0966
External Source: MISC
Name: http://www.rapid7.com/advisories/R7-0033
External Source: MANDRIVA
Name: MDVSA-2009:124
External Source: MANDRIVA
Name: MDVSA-2008:195
External Source: MANDRIVA
Name: MDVSA-2008:194
External Source: AIXAPAR
Name: PK70937
External Source: AIXAPAR
Name: PK70197
External Source: CONFIRM
Name: http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328
External Source: CONFIRM
Name: http://wiki.rpath.com/Advisories:rPSA-2008-0327
External Source: CONFIRM
Name: http://svn.apache.org/viewvc?view=rev&revision=682871
External Source: CONFIRM
Name: http://svn.apache.org/viewvc?view=rev&revision=682870
External Source: CONFIRM
Name: http://svn.apache.org/viewvc?view=rev&revision=682868
External Source: CONFIRM
Name: http://support.apple.com/kb/HT3549
External Source: SUNALERT
Name: 247666
External Source: SECUNIA
Name: 35074
External Source: SECUNIA
Name: 34219
External Source: SECUNIA
Name: 33797
External Source: SECUNIA
Name: 33156
External Source: SECUNIA
Name: 32838
External Source: SECUNIA
Name: 32685
External Source: SECUNIA
Name: 31673
External Source: SECUNIA
Name: 31384
Type: Advisory
External Source: REDHAT
Name: RHSA-2008:0967
External Source: OVAL
Name: oval:org.mitre.oval:def:7716
External Source: OVAL
Name: oval:org.mitre.oval:def:11316
External Source: HP
Name: SSRT090192
External Source: HP
Name: SSRT090192
External Source: HP
Name: HPSBUX02401
External Source: HP
Name: HPSBUX02401
External Source: SUSE
Name: SUSE-SR:2008:024
External Source: APPLE
Name: APPLE-SA-2009-05-12
References to Check Content
Identifier:oval:org.mitre.oval:def:11316
Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5
Identifier:oval:org.mitre.oval:def:7716
Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5
Technical Details
- Cross-Site Scripting (XSS) (CWE-79)