製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache の mod_proxy_ftp モジュールにおけるクロスサイトスクリプティングの脆弱性

Title	Apache の mod_proxy_ftp モジュールにおけるクロスサイトスクリプティングの脆弱性
Summary	Apache の mod_proxy_ftp モジュールには、proxy_ftp.c および mod_proxy_ftp.c において、FTP URI パス名のワイルドカードの取り扱いに不備があり、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により任意のウェブスクリプトや HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 6, 2008, midnight
Registration Date	Sept. 4, 2008, 2:22 p.m.
Last Update	Nov. 4, 2010, 3:35 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

サン・マイクロシステムズ

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

レッドハット

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

RHEL Desktop Workstation 5 (client)

ヒューレット・パッカード

HP-UX 11.11

HP-UX 11.23

HP-UX 11.31

Apache Software Foundation

Apache HTTP Server 2.0.63 以前

Apache HTTP Server 2.2.9 以前

IBM

IBM HTTP Server 2.0.47.x

IBM HTTP Server 6.0.2.33 未満

IBM HTTP Server 6.1.0.21 未満

ターボリナックス

Turbolinux Appliance Server 2.0

Turbolinux Client 2008

Turbolinux FUJI

Turbolinux Multimedia

Turbolinux Personal

Turbolinux Server 10

Turbolinux Server 10 (x64)

Turbolinux Server 11

Turbolinux Server 11 (x64)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 3.0

Asianux Server 3.0 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

アップル

Apple Mac OS X v10.4.11

Apple Mac OS X Server v10.4.11

富士通

Interstage Application Server

Interstage Studio

Interstage Web Server

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-2939	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
National Vulnerability Database (NVD)
2	CVE-2008-2939	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2939

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Apache httpd 2.0 vulnerabilities
1	Fixed in Apache httpd 2.0.64	http://httpd.apache.org/security/vulnerabilities_20.html#2.0.64
Apache httpd 2.2 vulnerabilities
2	Fixed in Apache httpd 2.2.10-dev	http://httpd.apache.org/security/vulnerabilities_22.html#2.2.10-dev
3	vulnerabilities_22	http://httpd.apache.org/security/vulnerabilities_22.html
Apple Security Updates
4	HT3549	http://support.apple.com/kb/HT3549
Apple セキュリティアップデート
5	HT3549	http://support.apple.com/kb/HT3549?viewlocale=ja_JP
Asianux Technical Support Network
6	httpd-2.2.3-11.4.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=369
HP Security Bulletin
7	HPSBUX02401	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01650939
8	HPSBUX02465	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01905287
IBM Support Document
9	7007033#60233	http://www-01.ibm.com/support/docview.wss?uid=swg27007033#60233
10	7008517#61021	http://www-01.ibm.com/support/docview.wss?uid=swg27008517#61021
11	PM10658	http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658
MIRACLE LINUX アップデート情報
12	1366	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1366
Red Hat Security Advisory
13	RHSA-2008:0967	https://rhn.redhat.com/errata/RHSA-2008-0967.html
Sun Alert Notification
14	247666	http://sunsolve.sun.com/search/document.do?assetkey=1-66-247666-1
サポート技術情報
15	interstage_as_200809	http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200809.html
製品セキュリティ情報
16	TLSA-2008-34	http://www.turbolinux.co.jp/security/2008/TLSA-2008-34j.txt

その他

No	Name	URL
FrSIRT Advisories
1	FrSIRT/ADV-2008-2315	http://www.frsirt.com/english/advisories/2008/2315
ISS X-Force Database
2	44223	http://xforce.iss.net/xforce/xfdb/44223
Secunia Advisory
3	SA31384	http://secunia.com/advisories/31384
SecurityFocus
4	30560	http://www.securityfocus.com/bid/30560
SecurityTracker
5	1020635	http://securitytracker.com/id?1020635
US-CERT Vulnerability Note
6	VU#663763	http://www.kb.cert.org/vuls/id/663763

Change Log

No	Changed Details	Date of change
0	[2008年09月04日] 掲載 [2008年10月07日] 影響を受けるシステム：ターボリナックス（TLSA-2008-34）の情報を追加ベンダ情報：ターボリナックス（TLSA-2008-34）を追加 [2008年11月12日] 影響を受けるシステム：レッドハット（RHSA-2008:0967）の情報を追加ベンダ情報：Apache Software Foundation（vulnerabilities_22）を追加ベンダ情報：Apache Software Foundation（CHANGES_2.2.10）を追加ベンダ情報：レッドハット（RHSA-2008:0967）を追加 [2008年12月12日] 影響を受けるシステム：IBM (7008517#610213) の情報を追加影響を受けるシステム：ミラクル・リナックス (httpd-2.2.3-11.4.1AXS3) の情報を追加影響を受けるシステム：ミラクル・リナックス (1366) の情報を追加ベンダ情報：IBM (7008517#610213) を追加ベンダ情報：ミラクル・リナックス (httpd-2.2.3-11.4.1AXS3) を追加ベンダ情報：ミラクル・リナックス (1366) を追加 [2009年01月29日] 影響を受けるシステム：サン・マイクロシステムズ (247666) の情報を追加影響を受けるシステム：富士通 (interstage_as_200809) の情報を追加ベンダ情報：サン・マイクロシステムズ (247666) を追加ベンダ情報：富士通 (interstage_as_200809) を追加 [2009年02月25日] 影響を受けるシステム：IBM (7007033#60233) の情報を追加影響を受けるシステム：ヒューレット・パッカード (HPSBUX02401) の情報を追加ベンダ情報：IBM (7007033#60233) の情報を追加ベンダ情報：ヒューレット・パッカード (HPSBUX02401) を追加 [2009年06月26日] 影響を受けるシステム：アップル (HT3549) の情報を追加ベンダ情報：アップル (HT3549) を追加 [2009年11月16日] ベンダ情報：ヒューレット・パッカード (HPSBUX02465) を追加 [2010年04月28日] 影響を受けるシステム：IBM (PM10658) の情報を追加ベンダ情報：IBM (PM10658) を追加 [2010年11月04日] ベンダ情報：Apache Software Foundation (Fixed in Apache httpd 2.0.64) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-2939

Summary	Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
Publication Date	Aug. 7, 2008, 3:41 a.m.
Registration Date	Jan. 29, 2021, 1:38 p.m.
Last Update	Jan. 20, 2024, 12:13 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:http_server::::::::		2.0.63
cpe:2.3:a:apache:http_server::::::::	2.2.0	2.2.9

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
cpe:2.3:o:opensuse:opensuse:10.2:::::::*
cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
cpe:2.3:o:apple:mac_os_x::::::::		10.5.6
cpe:2.3:o:opensuse:opensuse:11.0:::::::*
cpe:2.3:o:opensuse:opensuse:10.3:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::

Related information, measures and tools

No	URL	refsource	タグ
1	http://svn.apache.org/viewvc?view=rev&revision=682868	CONFIRM	Third Party Advisory
2	http://svn.apache.org/viewvc?view=rev&revision=682871	CONFIRM	Third Party Advisory
3	http://www.securityfocus.com/bid/30560	BID	Third Party Advisory VDB Entry
4	http://secunia.com/advisories/31384	SECUNIA	Broken Link
5	http://www.rapid7.com/advisories/R7-0033	MISC	Broken Link
6	http://secunia.com/advisories/31673	SECUNIA	Broken Link
7	http://www.kb.cert.org/vuls/id/663763	CERT-VN	Third Party Advisory US Government Resource
8	http://www.securitytracker.com/id?1020635	SECTRACK	Third Party Advisory VDB Entry
9	http://www-1.ibm.com/support/docview.wss?uid=swg1PK70197	AIXAPAR	Third Party Advisory
10	http://svn.apache.org/viewvc?view=rev&revision=682870	CONFIRM	Third Party Advisory
11	http://www-1.ibm.com/support/docview.wss?uid=swg1PK70937	AIXAPAR	Third Party Advisory
12	http://www.mandriva.com/security/advisories?name=MDVSA-2008:195	MANDRIVA	Broken Link
13	http://www.mandriva.com/security/advisories?name=MDVSA-2008:194	MANDRIVA	Broken Link
14	http://secunia.com/advisories/32685	SECUNIA	Broken Link
15	http://rhn.redhat.com/errata/RHSA-2008-0967.html	REDHAT	Third Party Advisory
16	http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html	SUSE	Third Party Advisory
17	http://www.redhat.com/support/errata/RHSA-2008-0966.html	REDHAT	Third Party Advisory
18	http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1	SUNALERT	Broken Link
19	http://secunia.com/advisories/33156	SECUNIA	Broken Link
20	http://marc.info/?l=bugtraq&m=123376588623823&w=2	HP	Third Party Advisory
21	http://secunia.com/advisories/33797	SECUNIA	Broken Link
22	http://secunia.com/advisories/32838	SECUNIA	Broken Link
23	http://wiki.rpath.com/Advisories:rPSA-2008-0327	CONFIRM	Broken Link
24	http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328	CONFIRM	Broken Link
25	http://www.ubuntu.com/usn/USN-731-1	UBUNTU	Third Party Advisory VDB Entry
26	http://secunia.com/advisories/34219	SECUNIA	Broken Link
27	http://lists.apple.com/archives/security-announce/2009/May/msg00002.html	APPLE	Mailing List
28	http://support.apple.com/kb/HT3549	CONFIRM	Third Party Advisory
29	http://www.us-cert.gov/cas/techalerts/TA09-133A.html	CERT	Third Party Advisory US Government Resource
30	http://secunia.com/advisories/35074	SECUNIA	Broken Link
31	http://www.vupen.com/english/advisories/2009/1297	VUPEN	Permissions Required
32	http://www.mandriva.com/security/advisories?name=MDVSA-2009:124	MANDRIVA	Broken Link
33	http://marc.info/?l=bugtraq&m=125631037611762&w=2	HP	Third Party Advisory
34	http://www.vupen.com/english/advisories/2009/0320	VUPEN	Permissions Required
35	http://www.vupen.com/english/advisories/2008/2315	VUPEN	Permissions Required
36	http://www.vupen.com/english/advisories/2008/2461	VUPEN	Permissions Required
37	https://exchange.xforce.ibmcloud.com/vulnerabilities/44223	XF	VDB Entry
38	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7716	OVAL	Broken Link
39	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11316	OVAL	Broken Link
40	http://www.securityfocus.com/archive/1/498567/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
41	http://www.securityfocus.com/archive/1/498566/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
42	http://www.securityfocus.com/archive/1/495180/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
43	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
44	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
45	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
46	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
47	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
48	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
49	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
50	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
51	https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
52	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
53	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
54	https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
55	https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
56	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
57	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
58	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
59	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
60	https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
61	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory
62	https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E	MISC	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
cpe:2.3:o:opensuse:opensuse:10.2:::::::*
cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
cpe:2.3:o:apple:mac_os_x::::::::		10.5.6
cpe:2.3:o:opensuse:opensuse:11.0:::::::*
cpe:2.3:o:opensuse:opensuse:10.3:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::