製品・ソフトウェアに関する情報

JVN脆弱性詳細

Hitachi Web Server のステータス情報表示機能におけるクロスサイトスクリプティングの脆弱性

Title	Hitachi Web Server のステータス情報表示機能におけるクロスサイトスクリプティングの脆弱性
Summary	Hitachi Web Server のステータス情報表示画面に追加された不正なスクリプトが含まれたリクエストを受信した際に、Hitachi Web Server が自動生成するステータス情報表示画面にその不正なスクリプトが追加され、それがクライアント上で実行される脆弱性が存在します。本脆弱性は、ステータス情報表示機能を使用していない場合は影響を受けない事がベンダより報告されています。
Possible impacts	第三者によって不正なスクリプトが実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 5, 2007, midnight
Registration Date	Oct. 23, 2007, 3:56 p.m.
Last Update	May 21, 2014, 6:27 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

日立

Cosminexus Application Server Enterprise Version 6

Cosminexus Application Server Standard Version 6

Cosminexus Application Server Version 5

Cosminexus Developer Light Version 6

Cosminexus Developer Professional Version 6

Cosminexus Developer Standard Version 6

Cosminexus Developer Version 5

Cosminexus Server - Enterprise Edition

Cosminexus Server - Standard Edition

Cosminexus Server - Standard Edition Version 4

Cosminexus Server - Web Edition

Cosminexus Server - Web Edition Version 4

Hitachi Web Server

uCosminexus Application Server Enterprise

uCosminexus Application Server Standard

uCosminexus Developer Professional

uCosminexus Developer Light

uCosminexus Developer Standard

uCosminexus Service Architect

uCosminexus Service Platform

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2006-5752	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
2	CVE-2007-5809	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5809
National Vulnerability Database (NVD)
3	CVE-2006-5752	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5752
4	CVE-2007-5809	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5809

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Hitachi Software Vulnerability Information
1	HS07-035	http://www.hitachi-support.com/security_e/vuls_e/HS07-035_e/index-e.html
ソフトウェア製品セキュリティ情報
2	HS07-035	http://www.hitachi-support.com/security/vuls/HS07-035/index.html

その他

No	Name	URL
FrSIRT Advisories
1	FrSIRT/ADV-2007-3666	http://www.frsirt.com/english/advisories/2007/3666
Secunia Advisory
2	SA27421	http://secunia.com/advisories/27421

Change Log

No	Changed Details	Date of change
0	[2007年10月23日] 掲載 [2014年05月21日] 参考情報：Common Vulnerabilities and Exposures (CVE) (CVE-2006-5752) を追加参考情報：National Vulnerability Database (NVD) (CVE-2006-5752) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2006-5752

Summary	Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.
Publication Date	June 28, 2007, 2:30 a.m.
Registration Date	Jan. 29, 2021, 3:49 p.m.
Last Update	Nov. 7, 2023, 10:59 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:http_server::::::::	2.2.0			2.2.6
cpe:2.3:a:apache:http_server::::::::	2.0.0			2.0.61
cpe:2.3:a:apache:http_server::::::::	1.3.2			1.3.39

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:7:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.5:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245112	MISC	Issue Tracking Third Party Advisory
2	http://svn.apache.org/viewvc?view=rev&revision=549159	CONFIRM	Vendor Advisory
3	http://www.redhat.com/support/errata/RHSA-2007-0532.html	REDHAT	Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2007-0534.html	REDHAT	Third Party Advisory
5	http://rhn.redhat.com/errata/RHSA-2007-0556.html	REDHAT	Third Party Advisory
6	http://www.securityfocus.com/bid/24645	BID	Patch Third Party Advisory VDB Entry
7	https://issues.rpath.com/browse/RPL-1500	CONFIRM	Broken Link
8	http://httpd.apache.org/security/vulnerabilities_13.html	CONFIRM	Vendor Advisory
9	http://httpd.apache.org/security/vulnerabilities_20.html	CONFIRM	Vendor Advisory
10	http://httpd.apache.org/security/vulnerabilities_22.html	CONFIRM	Vendor Advisory
11	http://support.avaya.com/elmodocs2/security/ASA-2007-353.htm	CONFIRM	Third Party Advisory
12	http://bugs.gentoo.org/show_bug.cgi?id=186219	CONFIRM	Issue Tracking Third Party Advisory
13	http://www-1.ibm.com/support/search.wss?rs=0&q=PK49295&apar=only	AIXAPAR	Third Party Advisory
14	http://www-1.ibm.com/support/docview.wss?uid=swg1PK52702	AIXAPAR	Third Party Advisory
15	http://www.redhat.com/archives/fedora-package-announce/2007-September/msg00320.html	FEDORA	Mailing List Third Party Advisory
16	http://security.gentoo.org/glsa/glsa-200711-06.xml	GENTOO	Third Party Advisory
17	http://www.mandriva.com/security/advisories?name=MDKSA-2007:140	MANDRIVA	Broken Link
18	http://www.mandriva.com/security/advisories?name=MDKSA-2007:141	MANDRIVA	Broken Link
19	http://www.mandriva.com/security/advisories?name=MDKSA-2007:142	MANDRIVA	Broken Link
20	https://rhn.redhat.com/errata/RHSA-2007-0533.html	REDHAT	Third Party Advisory
21	http://www.redhat.com/support/errata/RHSA-2007-0557.html	REDHAT	Third Party Advisory
22	http://www.novell.com/linux/security/advisories/2007_61_apache2.html	SUSE	Broken Link
23	http://www.trustix.org/errata/2007/0026/	TRUSTIX	Broken Link
24	http://www.ubuntu.com/usn/usn-499-1	UBUNTU	Third Party Advisory
25	http://www.securitytracker.com/id?1018302	SECTRACK	Broken Link Third Party Advisory VDB Entry
26	http://secunia.com/advisories/25827	SECUNIA	Not Applicable
27	http://secunia.com/advisories/25830	SECUNIA	Not Applicable
28	http://secunia.com/advisories/25873	SECUNIA	Not Applicable
29	http://secunia.com/advisories/25920	SECUNIA	Not Applicable
30	http://secunia.com/advisories/26273	SECUNIA	Not Applicable
31	http://secunia.com/advisories/26443	SECUNIA	Not Applicable
32	http://secunia.com/advisories/26458	SECUNIA	Not Applicable
33	http://secunia.com/advisories/26508	SECUNIA	Not Applicable
34	http://secunia.com/advisories/26822	SECUNIA	Not Applicable
35	http://secunia.com/advisories/26842	SECUNIA	Not Applicable
36	http://secunia.com/advisories/26993	SECUNIA	Not Applicable
37	http://secunia.com/advisories/27037	SECUNIA	Not Applicable
38	http://secunia.com/advisories/27563	SECUNIA	Not Applicable
39	http://secunia.com/advisories/27732	SECUNIA	Not Applicable
40	http://sunsolve.sun.com/search/document.do?assetkey=1-26-103179-1	SUNALERT	Broken Link
41	http://secunia.com/advisories/28212	SECUNIA	Not Applicable
42	http://secunia.com/advisories/28224	SECUNIA	Not Applicable
43	http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html	CONFIRM	Third Party Advisory
44	http://secunia.com/advisories/28606	SECUNIA	Not Applicable
45	http://sunsolve.sun.com/search/document.do?assetkey=1-66-200032-1	SUNALERT	Broken Link
46	http://www.redhat.com/support/errata/RHSA-2008-0261.html	REDHAT	Third Party Advisory
47	http://lists.vmware.com/pipermail/security-announce/2009/000062.html	MLIST	Mailing List Third Party Advisory
48	http://www.vupen.com/english/advisories/2008/0233	VUPEN	Permissions Required
49	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795	HP	Third Party Advisory
50	http://www.vupen.com/english/advisories/2007/4305	VUPEN	Permissions Required
51	http://www.vupen.com/english/advisories/2007/2727	VUPEN	Permissions Required
52	http://www.vupen.com/english/advisories/2007/3283	VUPEN	Permissions Required
53	http://www.vupen.com/english/advisories/2007/3386	VUPEN	Permissions Required
54	http://osvdb.org/37052	OSVDB	Broken Link
55	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	CONFIRM	Third Party Advisory
56	https://exchange.xforce.ibmcloud.com/vulnerabilities/35097	XF	Third Party Advisory VDB Entry
57	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10154	OVAL	Third Party Advisory
58	http://www.securityfocus.com/archive/1/505990/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
59	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
60	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
61	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
62	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
63	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
64	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
65	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
66	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
67	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
68	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
69	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
70	https://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840%40%3Ccvs.httpd.apache.org%3E
71	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
72	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
73	https://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7%40%3Ccvs.httpd.apache.org%3E
74	https://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6%40%3Ccvs.httpd.apache.org%3E
75	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
76	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
77	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Common Vulnerabilities List

CVE-2007-5809

Summary	Cross-site scripting (XSS) vulnerability in Hitachi Web Server 01-00 through 03-10, as used by certain Cosminexus products, allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP requests that trigger creation of a server-status page.
Publication Date	Nov. 6, 2007, 2:46 a.m.
Registration Date	Jan. 29, 2021, 2:23 p.m.
Last Update	March 8, 2011, 12:01 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:hitachi:cosminexus_application_server_enterprise::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_application_server_standard::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_light_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_professional_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_standard_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_server::::::::		04_01
cpe:2.3:a:hitachi:ucosminexus_application_server_enterprise::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_application_server_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_light::::::::		06_71_d
cpe:2.3:a:hitachi:ucosminexus_developer_professional::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_architect::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_platform::::::::		07_50_01
cpe:2.3:a:hitachi:web_server:01_00::hpux:::::
cpe:2.3:a:hitachi:web_server:01_00::solaris:::::
cpe:2.3:a:hitachi:web_server:01_01::aix:::::
cpe:2.3:a:hitachi:web_server:01_01::linux:::::
cpe:2.3:a:hitachi:web_server:01_01::turbolinux:::::
cpe:2.3:a:hitachi:web_server:01_01_d::linux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::hpux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::solaris:::::
cpe:2.3:a:hitachi:web_server:01_02_e::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::hpux:::::
cpe:2.3:a:hitachi:web_server:02_00::linux:::::
cpe:2.3:a:hitachi:web_server:02_00::solaris:::::
cpe:2.3:a:hitachi:web_server:02_00::turbolinux:::::
cpe:2.3:a:hitachi:web_server:02_00::windows:::::
cpe:2.3:a:hitachi:web_server:02_00_a::linux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_02::linux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::aix:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_04_b::solaris:::::
cpe:2.3:a:hitachi:web_server:02_04_b::windows:::::
cpe:2.3:a:hitachi:web_server:02_06_a::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::aix:::::
cpe:2.3:a:hitachi:web_server:03_00::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:03_00::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::windows:::::
cpe:2.3:a:hitachi:web_server:03_00_01::solaris:::::
cpe:2.3:a:hitachi:web_server:03_00_01::windows:::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://osvdb.org/42027	OSVDB
2	http://secunia.com/advisories/27421	SECUNIA	Vendor Advisory
3	http://www.hitachi-support.com/security_e/vuls_e/HS07-035_e/index-e.html	CONFIRM
4	http://www.securityfocus.com/bid/26271	BID
5	http://www.vupen.com/english/advisories/2007/3666	VUPEN

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.5:::::::*

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:hitachi:cosminexus_application_server_enterprise::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_application_server_standard::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_light_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_professional_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_standard_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_server::::::::		04_01
cpe:2.3:a:hitachi:ucosminexus_application_server_enterprise::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_application_server_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_light::::::::		06_71_d
cpe:2.3:a:hitachi:ucosminexus_developer_professional::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_architect::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_platform::::::::		07_50_01
cpe:2.3:a:hitachi:web_server:01_00::hpux:::::
cpe:2.3:a:hitachi:web_server:01_00::solaris:::::
cpe:2.3:a:hitachi:web_server:01_01::aix:::::
cpe:2.3:a:hitachi:web_server:01_01::linux:::::
cpe:2.3:a:hitachi:web_server:01_01::turbolinux:::::
cpe:2.3:a:hitachi:web_server:01_01_d::linux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::hpux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::solaris:::::
cpe:2.3:a:hitachi:web_server:01_02_e::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::hpux:::::
cpe:2.3:a:hitachi:web_server:02_00::linux:::::
cpe:2.3:a:hitachi:web_server:02_00::solaris:::::
cpe:2.3:a:hitachi:web_server:02_00::turbolinux:::::
cpe:2.3:a:hitachi:web_server:02_00::windows:::::
cpe:2.3:a:hitachi:web_server:02_00_a::linux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_02::linux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::aix:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_04_b::solaris:::::
cpe:2.3:a:hitachi:web_server:02_04_b::windows:::::
cpe:2.3:a:hitachi:web_server:02_06_a::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::aix:::::
cpe:2.3:a:hitachi:web_server:03_00::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:03_00::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::windows:::::
cpe:2.3:a:hitachi:web_server:03_00_01::solaris:::::
cpe:2.3:a:hitachi:web_server:03_00_01::windows:::::