NVD Vulnerability Detail

CVE-2006-5752

Summary	Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.
Publication Date	June 28, 2007, 2:30 a.m.
Registration Date	Jan. 29, 2021, 3:49 p.m.
Last Update	Nov. 7, 2023, 10:59 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:http_server::::::::	2.2.0			2.2.6
cpe:2.3:a:apache:http_server::::::::	2.0.0			2.0.61
cpe:2.3:a:apache:http_server::::::::	1.3.2			1.3.39

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:7:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.5:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245112	MISC	Issue Tracking Third Party Advisory
2	http://svn.apache.org/viewvc?view=rev&revision=549159	CONFIRM	Vendor Advisory
3	http://www.redhat.com/support/errata/RHSA-2007-0532.html	REDHAT	Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2007-0534.html	REDHAT	Third Party Advisory
5	http://rhn.redhat.com/errata/RHSA-2007-0556.html	REDHAT	Third Party Advisory
6	http://www.securityfocus.com/bid/24645	BID	Patch Third Party Advisory VDB Entry
7	https://issues.rpath.com/browse/RPL-1500	CONFIRM	Broken Link
8	http://httpd.apache.org/security/vulnerabilities_13.html	CONFIRM	Vendor Advisory
9	http://httpd.apache.org/security/vulnerabilities_20.html	CONFIRM	Vendor Advisory
10	http://httpd.apache.org/security/vulnerabilities_22.html	CONFIRM	Vendor Advisory
11	http://support.avaya.com/elmodocs2/security/ASA-2007-353.htm	CONFIRM	Third Party Advisory
12	http://bugs.gentoo.org/show_bug.cgi?id=186219	CONFIRM	Issue Tracking Third Party Advisory
13	http://www-1.ibm.com/support/search.wss?rs=0&q=PK49295&apar=only	AIXAPAR	Third Party Advisory
14	http://www-1.ibm.com/support/docview.wss?uid=swg1PK52702	AIXAPAR	Third Party Advisory
15	http://www.redhat.com/archives/fedora-package-announce/2007-September/msg00320.html	FEDORA	Mailing List Third Party Advisory
16	http://security.gentoo.org/glsa/glsa-200711-06.xml	GENTOO	Third Party Advisory
17	http://www.mandriva.com/security/advisories?name=MDKSA-2007:140	MANDRIVA	Broken Link
18	http://www.mandriva.com/security/advisories?name=MDKSA-2007:141	MANDRIVA	Broken Link
19	http://www.mandriva.com/security/advisories?name=MDKSA-2007:142	MANDRIVA	Broken Link
20	https://rhn.redhat.com/errata/RHSA-2007-0533.html	REDHAT	Third Party Advisory
21	http://www.redhat.com/support/errata/RHSA-2007-0557.html	REDHAT	Third Party Advisory
22	http://www.novell.com/linux/security/advisories/2007_61_apache2.html	SUSE	Broken Link
23	http://www.trustix.org/errata/2007/0026/	TRUSTIX	Broken Link
24	http://www.ubuntu.com/usn/usn-499-1	UBUNTU	Third Party Advisory
25	http://www.securitytracker.com/id?1018302	SECTRACK	Broken Link Third Party Advisory VDB Entry
26	http://secunia.com/advisories/25827	SECUNIA	Not Applicable
27	http://secunia.com/advisories/25830	SECUNIA	Not Applicable
28	http://secunia.com/advisories/25873	SECUNIA	Not Applicable
29	http://secunia.com/advisories/25920	SECUNIA	Not Applicable
30	http://secunia.com/advisories/26273	SECUNIA	Not Applicable
31	http://secunia.com/advisories/26443	SECUNIA	Not Applicable
32	http://secunia.com/advisories/26458	SECUNIA	Not Applicable
33	http://secunia.com/advisories/26508	SECUNIA	Not Applicable
34	http://secunia.com/advisories/26822	SECUNIA	Not Applicable
35	http://secunia.com/advisories/26842	SECUNIA	Not Applicable
36	http://secunia.com/advisories/26993	SECUNIA	Not Applicable
37	http://secunia.com/advisories/27037	SECUNIA	Not Applicable
38	http://secunia.com/advisories/27563	SECUNIA	Not Applicable
39	http://secunia.com/advisories/27732	SECUNIA	Not Applicable
40	http://sunsolve.sun.com/search/document.do?assetkey=1-26-103179-1	SUNALERT	Broken Link
41	http://secunia.com/advisories/28212	SECUNIA	Not Applicable
42	http://secunia.com/advisories/28224	SECUNIA	Not Applicable
43	http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html	CONFIRM	Third Party Advisory
44	http://secunia.com/advisories/28606	SECUNIA	Not Applicable
45	http://sunsolve.sun.com/search/document.do?assetkey=1-66-200032-1	SUNALERT	Broken Link
46	http://www.redhat.com/support/errata/RHSA-2008-0261.html	REDHAT	Third Party Advisory
47	http://lists.vmware.com/pipermail/security-announce/2009/000062.html	MLIST	Mailing List Third Party Advisory
48	http://www.vupen.com/english/advisories/2008/0233	VUPEN	Permissions Required
49	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795	HP	Third Party Advisory
50	http://www.vupen.com/english/advisories/2007/4305	VUPEN	Permissions Required
51	http://www.vupen.com/english/advisories/2007/2727	VUPEN	Permissions Required
52	http://www.vupen.com/english/advisories/2007/3283	VUPEN	Permissions Required
53	http://www.vupen.com/english/advisories/2007/3386	VUPEN	Permissions Required
54	http://osvdb.org/37052	OSVDB	Broken Link
55	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	CONFIRM	Third Party Advisory
56	https://exchange.xforce.ibmcloud.com/vulnerabilities/35097	XF	Third Party Advisory VDB Entry
57	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10154	OVAL	Third Party Advisory
58	http://www.securityfocus.com/archive/1/505990/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
59	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
60	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
61	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
62	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
63	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
64	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
65	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
66	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
67	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
68	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
69	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
70	https://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840%40%3Ccvs.httpd.apache.org%3E
71	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
72	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
73	https://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7%40%3Ccvs.httpd.apache.org%3E
74	https://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6%40%3Ccvs.httpd.apache.org%3E
75	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
76	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
77	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Common Vulnerabilities List

JVN Vulnerability Information

Apache HTTP Server の mod_status モジュールにおけるクロスサイトスクリプティングの脆弱性

Title	Apache HTTP Server の mod_status モジュールにおけるクロスサイトスクリプティングの脆弱性
Summary	Apache HTTP Server の mod_status モジュールにはブラウザの文字コード処理に不備が存在するために ExtendedStatus を有効にしている場合、server-status ページ上でクロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	ユーザのブラウザ上で任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 26, 2007, midnight
Registration Date	July 2, 2007, 5:52 p.m.
Last Update	May 21, 2014, 6:26 p.m.

Affected System

サン・マイクロシステムズ

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

Sun Solaris 8 (sparc)

Sun Solaris 8 (x86)

Sun Solaris 9 (sparc)

Sun Solaris 9 (x86)

レッドハット

Red Hat Enterprise Linux 2.1 (as)

Red Hat Enterprise Linux 2.1 (es)

Red Hat Enterprise Linux 2.1 (ws)

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Linux Advanced Workstation 2.1

RHEL Desktop Workstation 5 (client)

ヒューレット・パッカード

HP-UX 11.11

HP-UX 11.23

HP-UX 11.31

Apache Software Foundation

Apache HTTP Server 1.3.37 およびそれ以前

Apache HTTP Server 2.0.59 およびそれ以前

Apache HTTP Server 2.2.4 およびそれ以前

オラクル

Oracle HTTP Server 10.1.3.5.0

IBM

IBM HTTP Server 1.3.28.1

IBM HTTP Server 2.0.47

IBM HTTP Server 6.0.2.23 未満のバージョン

IBM HTTP Server 6.1.0.13 未満のバージョン

ターボリナックス

Turbolinux Appliance Server 2.0

Turbolinux FUJI

Turbolinux Server 10

Turbolinux Server 10 (x64)

サイバートラスト株式会社

Asianux Server 2.0

Asianux Server 2.1

Asianux Server 3.0

Asianux Server 3.0 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

富士通

Interstage Application Framework Suite

Interstage Application Server

Interstage Apworks

Interstage Business Application Server

Interstage Job Workload Server

Interstage Studio

Interstage Web Server

Systemwalker Resource Coordinator

日立

Cosminexus Application Server Enterprise Version 6

Cosminexus Application Server Standard Version 6

Cosminexus Application Server Version 5

Cosminexus Developer Light Version 6

Cosminexus Developer Professional Version 6

Cosminexus Developer Standard Version 6

Cosminexus Developer Version 5

Cosminexus Server - Enterprise Edition

Cosminexus Server - Standard Edition

Cosminexus Server - Standard Edition Version 4

Cosminexus Server - Web Edition

Cosminexus Server - Web Edition Version 4

Hitachi Web Server

uCosminexus Application Server Enterprise

uCosminexus Application Server Standard

uCosminexus Developer Professional

uCosminexus Developer Light

uCosminexus Developer Standard

uCosminexus Service Architect

uCosminexus Service Platform

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2006-5752	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
National Vulnerability Database (NVD)
2	CVE-2006-5752	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5752

ベンダー情報

No	Name	URL
Apache httpd 1.3 vulnerabilities
1	Fixed in Apache httpd 1.3.39-dev	http://httpd.apache.org/security/vulnerabilities_13.html#1.3.39-dev
Apache httpd 2.0 vulnerabilities
2	Fixed in Apache httpd 2.0.61-dev	http://httpd.apache.org/security/vulnerabilities_20.html#2.0.61-dev
Apache httpd 2.2 vulnerabilities
3	Fixed in Apache httpd 2.2.6-dev	http://httpd.apache.org/security/vulnerabilities_22.html#2.2.6-dev
Apache-SVN
4	Revision 549159	http://svn.apache.org/viewvc?view=rev&revision=549159
Hitachi Software Vulnerability Information
5	HS07-035	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS07-035/index.html
HP Security Bulletin
6	HPSBUX02262	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01178795
HP セキュリティ報告
7	HPSBUX02262	http://h50221.www5.hp.com/upassist/itrc_japan/assist2/secbltn/HP-UX/HPSBUX02262.html
IBM Support Document
8	4017141	http://www-1.ibm.com/support/docview.wss?uid=swg24017141
9	4017303	http://www-1.ibm.com/support/docview.wss?uid=swg24017303
10	Fix Pack 13 (6.1.0.13)	http://www-1.ibm.com/support/docview.wss?uid=swg27007951#61013
11	PK49295	http://www-1.ibm.com/support/docview.wss?uid=swg1PK49295
12	PK55141	http://www-1.ibm.com/support/docview.wss?uid=swg1PK55141
MIRACLE LINUX アップデート情報
13	httpd (V2.x)	http://www.miraclelinux.com/support/update/list.php?errata_id=1078
14	httpd (V3.0)	http://www.miraclelinux.com/support/update/list.php?errata_id=1073
15	httpd (V4.0)	http://www.miraclelinux.com/support/update/list.php?errata_id=1073
Oracle Critical Patch Update
16	Oracle Critical Patch Update Advisory - July 2013	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
17	Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujuly2013verbose-1899830.html
Red Hat Bugzilla
18	245112	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245112
Red Hat Security Advisory
19	RHSA-2007:0532	https://rhn.redhat.com/errata/RHSA-2007-0532.html
20	RHSA-2007:0533	https://rhn.redhat.com/errata/RHSA-2007-0533.html
21	RHSA-2007:0534	https://rhn.redhat.com/errata/RHSA-2007-0534.html
22	RHSA-2007:0556	https://rhn.redhat.com/errata/RHSA-2007-0556.html
SECURITY BLOG
23	July 2013 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2013_critical_patch_update
Sun Alert Notification
24	103179	http://sunsolve.sun.com/search/document.do?assetkey=1-26-103179-1
Turbolinux Security Advisory (英語)
25	TLSA-2007-41	http://www.turbolinux.com/security/2007/TLSA-2007-41.txt
ソフトウェア製品セキュリティ情報
26	HS07-035	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS07-035/index.html
レッドハットセキュリティーアップデート
27	RHSA-2007:0532	http://www.jp.redhat.com/support/errata/RHSA/RHSA-2007-0532J.html
28	RHSA-2007:0533	http://www.jp.redhat.com/support/errata/RHSA/RHSA-2007-0533J.html
29	RHSA-2007:0534	http://www.jp.redhat.com/support/errata/RHSA/RHSA-2007-0534J.html
30	RHSA-2007:0556	http://www.jp.redhat.com/support/errata/RHSA/RHSA-2007-0556J.html
富士通セキュリティ情報
31	interstage_as_200802	http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200802.html
製品セキュリティ情報
32	TLSA-2007-41	http://www.turbolinux.co.jp/security/2007/TLSA-2007-41j.txt

その他

No	Name	URL
Secunia Advisory
1	SA26458	http://secunia.com/advisories/26458/
SecurityFocus
2	24645	http://www.securityfocus.com/bid/24645

Change Log

No	Changed Details	Date of change
0	[2007年07月02日] 掲載 [2007年07月06日] 影響を受けるシステムを更新しました。ベンダ情報：ミラクル・リナックスの情報を追加しました。 [2007年07月25日] 影響を受けるシステムを更新ベンダ情報：ミラクル・リナックス (httpd (V3.0)) の情報を追加 [2007年08月08日] 影響を受けるシステム:Apache Software Foundation を更新ベンダ情報：Apache Software Foundation の情報を追加・Fixed in Apache httpd 1.3.38-dev ・Fixed in Apache httpd 2.0.60-dev ・Fixed in Apache httpd 2.2.5-dev [2007年08月10日] 影響を受けるシステム：ターボリナックス (TLSA-2007-41) の情報を追加ベンダ情報：ターボリナックス (TLSA-2007-41) を追加 [2007年08月23日] 影響を受けるシステム：IBM (PK49295) の情報を追加ベンダ情報：IBM (PK49295) を追加 [2007年09月03日] ベンダ情報：Apache Software Foundation の情報を追加・Fixed in Apache httpd 1.3.39-dev 　・Fixed in Apache httpd 2.0.61-dev 　・Fixed in Apache httpd 2.2.6-dev [2007年10月11日] 影響を受けるシステム：IBM (4017141) の情報を追加ベンダ情報：IBM (4017141) を追加 [2007年10月12日] 影響を受けるシステム：ヒューレット・パッカード (HPSBUX02262) の情報を追加ベンダ情報：ヒューレット・パッカード (HPSBUX02262) を追加 [2007年12月05日] 影響を受けるシステム：IBM (PK55141) の情報を追加ベンダ情報：IBM (PK55141) を追加 [2008年01月15日] 影響を受けるシステム：サン・マイクロシステムズ (103179) の情報を追加ベンダ情報：サン・マイクロシステムズ (103179) を追加 [2009年02月09日] 影響を受けるシステム：富士通 (interstage_as_200802) の情報を追加ベンダ情報：富士通 (interstage_as_200802) を追加 [2013年07月18日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - July 2013) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2013) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices ) を追加ベンダ情報：オラクル (July 2013 Critical Patch Update Released) を追加 [2014年05月21日] 影響を受けるシステム：日立 (HS07-035) の情報を追加ベンダ情報：日立 (HS07-035) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.5:::::::*