Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.

From Red Hat Security Advisory 2008:0967 :

Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364)

A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939)

In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Red Hat Enterprise Linux 4 httpd packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red Hat Enterprise Linux 5 packages.

Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues.

A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364)

A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939)

In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Scientific Linux 4 httpd packages. This bug is not present in the Scientific Linux 3 or Scientific Linux 5 packages.

According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities :

  - An unspecified error exists in the handling of requests     without a path segment. (CVE-2010-1452)

  - Several modules, including 'mod_deflate', are     vulnerable to a denial of service attack as the     server can be forced to utilize CPU time compressing     a large file after client disconnect. (CVE-2009-1891)

  - An unspecified error exists in 'mod_proxy' related to     filtration of authentication credentials.     (CVE-2009-3095)  
  - A NULL pointer dereference issue exists in     'mod_proxy_ftp' in some error handling paths.
    (CVE-2009-3094)

  - An error exists in 'mod_ssl' making the server     vulnerable to the TLC renegotiation prefix injection     attack. (CVE-2009-3555)

  - An error exists in the handling of subrequests such     that the parent request headers may be corrupted.
    (CVE-2010-0434)

  - An error exists in 'mod_proxy_http' when handling excessive     interim responses making it vulnerable to a denial of     service attack. (CVE-2008-2364)

  - An error exists in 'mod_isapi' that allows the module     to be unloaded too early, which leaves orphaned callback     pointers. (CVE-2010-0425)

  - An error exists in 'mod_proxy_ftp' when wildcards are     in an FTP URL, which allows for cross-site scripting     attacks. (CVE-2008-2939)

Note that the remote web server may not actually be affected by these vulnerabilities.  Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.

Multiple vulnerabilities has been found and corrected in apache :

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678).
Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only).

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191).

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0.

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195).

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890).

Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891).

The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094).

The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095).

Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939)

Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939).

Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420).

A memory leak in the ssl module could crash apache (CVE-2008-1678)

Multiple vulnerabilities has been found and corrected in apache :

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678).
Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only).

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0.

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195).

This update provides fixes for these vulnerabilities.

Update :

The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was incomplete, this update addresses the problem.

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. 

Mac OS X 10.5.7 contains security fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CFNetwork
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - iChat
  - International Components for Unicode
  - IPSec
  - Kerberos
  - Kernel
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - Networking
  - OpenSSL
  - PHP
  - QuickDraw Manager
  - ruby
  - Safari
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - WebKit
  - X11

The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied.

This security update contains fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - IPSec
  - Kerberos
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - OpenSSL
  - QuickDraw Manager
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - X11

A vulnerability was discovered in the mod_proxy module in Apache where it did not limit the number of forwarded interim responses, allowing remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses (CVE-2008-2364).

A cross-site scripting vulnerability was found in the mod_proxy_ftp module in Apache that allowed remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939).

The updated packages have been patched to prevent these issues.

Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364)

A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939)

In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Red Hat Enterprise Linux 4 httpd packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red Hat Enterprise Linux 5 packages.

Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues.

It was discovered that Apache did not sanitize the method specifier header from an HTTP request when it is returned in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2007-6203)

It was discovered that Apache was vulnerable to a cross-site request forgery (CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands that could modify the balancer manager configuration. This issue only affected Ubuntu 7.10 and 8.04 LTS. (CVE-2007-6420)

It was discovered that Apache had a memory leak when using mod_ssl with compression. A remote attacker could exploit this to exhaust server memory, leading to a denial of service. This issue only affected Ubuntu 7.10. (CVE-2008-1678)

It was discovered that in certain conditions, Apache did not specify a default character set when returning certain error messages containing UTF-7 encoded data, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-2168)

It was discovered that when configured as a proxy server, Apache did not limit the number of forwarded interim responses. A malicious remote server could send a large number of interim responses and cause a denial of service via memory exhaustion. (CVE-2008-2364)

It was discovered that mod_proxy_ftp did not sanitize wildcard pathnames when they are returned in directory listings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2939).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE Mitre reports :

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.

Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939)

Missing precautions allowed cross-site request forgery (CSRF) via the mod_proxy_balancer interface. (CVE-2007-6420)

Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939).

Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420).

Versions of Apache HTTP Server earlier than 2.2.10 are potentially affected by multiple vulnerabilities :

  - An information disclosure vulnerability in mod_proxy_http.  Note that this only affects Apache on Unix systems. (CVE-2010-2791)

  - The mod_proxy_ftp module in the version of Apache installed on the remote host fails to properly sanitize user-supplied URL input before using it to generate dynamic HTML output.  Using specially crafted requests for FTP URLs with globbing characters (such as asterisk, tilde, opening square bracket, etc.), an attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site. (CVE-2008-2939)

The mod_proxy_ftp module in the version of Apache running on the remote host fails to properly sanitize user-supplied URL input before using it to generate dynamic HTML output. Using specially crafted requests for FTP URLs with globbing characters (such as asterisk, tilde, opening square bracket, etc), an attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

The remote host is running a version of Mac OS X 10.5 that is older than version 10.5.7.  Mac OS X 10.5.7 contains security fixes for the following products : 

- Apache
- ATS
- BIND
- CFNetwork
- CoreGraphics
-Cscope
- CUPS
- Disk Images
- enscript
- Flash player
- Help Viewer
- iChat
- Internation Components for Unicode
- IPSec
- Kerberos
- Kernel
- Launch Services
- libxml
- Net-SNMP
- Network Time
- Networking
- OpenSSL
- PHP
- QuickDraw Manager
- ruby
- Safari
- Spotlight
- system_cmds
- telnet
- WebKit
- X11
- Terminal

ID	Name	Product	Family	Severity
67760	Oracle Linux 3 / 4 / 5 : httpd (ELSA-2008-0967)	Nessus	Oracle Linux Local Security Checks	medium
60493	Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
50069	Apache 2.0.x < 2.0.64 Multiple Vulnerabilities	Nessus	Web Servers	high
43042	Mandriva Linux Security Advisory : apache (MDVSA-2009:323)	Nessus	Mandriva Local Security Checks	high
41245	SuSE9 Security Update : Apache 2 (YOU Patch Number 12258)	Nessus	SuSE Local Security Checks	medium
39910	openSUSE Security Update : apache2 (apache2-222)	Nessus	SuSE Local Security Checks	medium
39761	Mandriva Linux Security Advisory : apache (MDVSA-2009:124-1)	Nessus	Mandriva Local Security Checks	medium
38744	Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
38743	Mac OS X Multiple Vulnerabilities (Security Update 2009-002)	Nessus	MacOS X Local Security Checks	critical
37114	Mandriva Linux Security Advisory : apache (MDVSA-2008:195)	Nessus	Mandriva Local Security Checks	medium
37062	CentOS 3 / 4 / 5 : httpd (CESA-2008:0967)	Nessus	CentOS Local Security Checks	medium
36589	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : apache2 vulnerabilities (USN-731-1)	Nessus	Ubuntu Local Security Checks	medium
35911	FreeBSD : apache -- XSS vulnerability (f1892066-0e74-11de-92de-000bcdc1757a)	Nessus	FreeBSD Local Security Checks	medium
34779	SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5767)	Nessus	SuSE Local Security Checks	medium
34751	RHEL 3 / 4 / 5 : httpd (RHSA-2008:0967)	Nessus	Red Hat Local Security Checks	medium
34699	openSUSE 10 Security Update : apache2 (apache2-5648)	Nessus	SuSE Local Security Checks	medium
34698	SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5629)	Nessus	SuSE Local Security Checks	medium
34697	openSUSE 10 Security Update : apache2 (apache2-5628)	Nessus	SuSE Local Security Checks	medium
4712	Apache < 2.2.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
34433	Apache mod_proxy_ftp Directory Component Wildcard Character Globbing XSS	Nessus	Web Servers	medium
5023	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
800792	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
800555	Apache < 2.2.10 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2008-2939

medium

Tenable Plugins

medium

medium

high

high

medium

medium

medium

critical

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

critical

high

medium