製品・ソフトウェアに関する情報

JVN脆弱性詳細

Hitachi Web Server のステータス情報表示機能におけるクロスサイトスクリプティングの脆弱性

タイトル	Hitachi Web Server のステータス情報表示機能におけるクロスサイトスクリプティングの脆弱性
概要	Hitachi Web Server のステータス情報表示画面に追加された不正なスクリプトが含まれたリクエストを受信した際に、Hitachi Web Server が自動生成するステータス情報表示画面にその不正なスクリプトが追加され、それがクライアント上で実行される脆弱性が存在します。本脆弱性は、ステータス情報表示機能を使用していない場合は影響を受けない事がベンダより報告されています。
想定される影響	第三者によって不正なスクリプトが実行される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2007年10月5日0:00
登録日	2007年10月23日15:56
最終更新日	2014年5月21日18:27

CVSS2.0 : 警告
スコア	4.3
ベクター	AV:N/AC:M/Au:N/C:N/I:P/A:N

影響を受けるシステム

日立

Cosminexus Application Server Enterprise Version 6

Cosminexus Application Server Standard Version 6

Cosminexus Application Server Version 5

Cosminexus Developer Light Version 6

Cosminexus Developer Professional Version 6

Cosminexus Developer Standard Version 6

Cosminexus Developer Version 5

Cosminexus Server - Enterprise Edition

Cosminexus Server - Standard Edition

Cosminexus Server - Standard Edition Version 4

Cosminexus Server - Web Edition

Cosminexus Server - Web Edition Version 4

Hitachi Web Server

uCosminexus Application Server Enterprise

uCosminexus Application Server Standard

uCosminexus Developer Professional

uCosminexus Developer Light

uCosminexus Developer Standard

uCosminexus Service Architect

uCosminexus Service Platform

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2006-5752	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
2	CVE-2007-5809	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5809
National Vulnerability Database (NVD)
3	CVE-2006-5752	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5752
4	CVE-2007-5809	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5809

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	名前	URL
Hitachi Software Vulnerability Information
1	HS07-035	http://www.hitachi-support.com/security_e/vuls_e/HS07-035_e/index-e.html
ソフトウェア製品セキュリティ情報
2	HS07-035	http://www.hitachi-support.com/security/vuls/HS07-035/index.html

その他

No	名前	URL
FrSIRT Advisories
1	FrSIRT/ADV-2007-3666	http://www.frsirt.com/english/advisories/2007/3666
Secunia Advisory
2	SA27421	http://secunia.com/advisories/27421

変更履歴

No	変更内容	変更日
0	[2007年10月23日] 掲載 [2014年05月21日] 参考情報：Common Vulnerabilities and Exposures (CVE) (CVE-2006-5752) を追加参考情報：National Vulnerability Database (NVD) (CVE-2006-5752) を追加	2018年2月17日10:37

NVD脆弱性情報

CVE-2006-5752

概要	Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.
公表日	2007年6月28日2:30
登録日	2021年1月29日15:49
最終更新日	2023年11月7日10:59

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server::::::::	2.2.0			2.2.6
cpe:2.3:a:apache:http_server::::::::	2.0.0			2.0.61
cpe:2.3:a:apache:http_server::::::::	1.3.2			1.3.39

構成2	以上	以下	より上	未満
cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*

構成3		以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:7:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.5:::::::*

関連情報、対策とツール

No	URL	refsource	タグ
1	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245112	MISC	Issue Tracking Third Party Advisory
2	http://svn.apache.org/viewvc?view=rev&revision=549159	CONFIRM	Vendor Advisory
3	http://www.redhat.com/support/errata/RHSA-2007-0532.html	REDHAT	Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2007-0534.html	REDHAT	Third Party Advisory
5	http://rhn.redhat.com/errata/RHSA-2007-0556.html	REDHAT	Third Party Advisory
6	http://www.securityfocus.com/bid/24645	BID	Patch Third Party Advisory VDB Entry
7	https://issues.rpath.com/browse/RPL-1500	CONFIRM	Broken Link
8	http://httpd.apache.org/security/vulnerabilities_13.html	CONFIRM	Vendor Advisory
9	http://httpd.apache.org/security/vulnerabilities_20.html	CONFIRM	Vendor Advisory
10	http://httpd.apache.org/security/vulnerabilities_22.html	CONFIRM	Vendor Advisory
11	http://support.avaya.com/elmodocs2/security/ASA-2007-353.htm	CONFIRM	Third Party Advisory
12	http://bugs.gentoo.org/show_bug.cgi?id=186219	CONFIRM	Issue Tracking Third Party Advisory
13	http://www-1.ibm.com/support/search.wss?rs=0&q=PK49295&apar=only	AIXAPAR	Third Party Advisory
14	http://www-1.ibm.com/support/docview.wss?uid=swg1PK52702	AIXAPAR	Third Party Advisory
15	http://www.redhat.com/archives/fedora-package-announce/2007-September/msg00320.html	FEDORA	Mailing List Third Party Advisory
16	http://security.gentoo.org/glsa/glsa-200711-06.xml	GENTOO	Third Party Advisory
17	http://www.mandriva.com/security/advisories?name=MDKSA-2007:140	MANDRIVA	Broken Link
18	http://www.mandriva.com/security/advisories?name=MDKSA-2007:141	MANDRIVA	Broken Link
19	http://www.mandriva.com/security/advisories?name=MDKSA-2007:142	MANDRIVA	Broken Link
20	https://rhn.redhat.com/errata/RHSA-2007-0533.html	REDHAT	Third Party Advisory
21	http://www.redhat.com/support/errata/RHSA-2007-0557.html	REDHAT	Third Party Advisory
22	http://www.novell.com/linux/security/advisories/2007_61_apache2.html	SUSE	Broken Link
23	http://www.trustix.org/errata/2007/0026/	TRUSTIX	Broken Link
24	http://www.ubuntu.com/usn/usn-499-1	UBUNTU	Third Party Advisory
25	http://www.securitytracker.com/id?1018302	SECTRACK	Broken Link Third Party Advisory VDB Entry
26	http://secunia.com/advisories/25827	SECUNIA	Not Applicable
27	http://secunia.com/advisories/25830	SECUNIA	Not Applicable
28	http://secunia.com/advisories/25873	SECUNIA	Not Applicable
29	http://secunia.com/advisories/25920	SECUNIA	Not Applicable
30	http://secunia.com/advisories/26273	SECUNIA	Not Applicable
31	http://secunia.com/advisories/26443	SECUNIA	Not Applicable
32	http://secunia.com/advisories/26458	SECUNIA	Not Applicable
33	http://secunia.com/advisories/26508	SECUNIA	Not Applicable
34	http://secunia.com/advisories/26822	SECUNIA	Not Applicable
35	http://secunia.com/advisories/26842	SECUNIA	Not Applicable
36	http://secunia.com/advisories/26993	SECUNIA	Not Applicable
37	http://secunia.com/advisories/27037	SECUNIA	Not Applicable
38	http://secunia.com/advisories/27563	SECUNIA	Not Applicable
39	http://secunia.com/advisories/27732	SECUNIA	Not Applicable
40	http://sunsolve.sun.com/search/document.do?assetkey=1-26-103179-1	SUNALERT	Broken Link
41	http://secunia.com/advisories/28212	SECUNIA	Not Applicable
42	http://secunia.com/advisories/28224	SECUNIA	Not Applicable
43	http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html	CONFIRM	Third Party Advisory
44	http://secunia.com/advisories/28606	SECUNIA	Not Applicable
45	http://sunsolve.sun.com/search/document.do?assetkey=1-66-200032-1	SUNALERT	Broken Link
46	http://www.redhat.com/support/errata/RHSA-2008-0261.html	REDHAT	Third Party Advisory
47	http://lists.vmware.com/pipermail/security-announce/2009/000062.html	MLIST	Mailing List Third Party Advisory
48	http://www.vupen.com/english/advisories/2008/0233	VUPEN	Permissions Required
49	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795	HP	Third Party Advisory
50	http://www.vupen.com/english/advisories/2007/4305	VUPEN	Permissions Required
51	http://www.vupen.com/english/advisories/2007/2727	VUPEN	Permissions Required
52	http://www.vupen.com/english/advisories/2007/3283	VUPEN	Permissions Required
53	http://www.vupen.com/english/advisories/2007/3386	VUPEN	Permissions Required
54	http://osvdb.org/37052	OSVDB	Broken Link
55	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	CONFIRM	Third Party Advisory
56	https://exchange.xforce.ibmcloud.com/vulnerabilities/35097	XF	Third Party Advisory VDB Entry
57	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10154	OVAL	Third Party Advisory
58	http://www.securityfocus.com/archive/1/505990/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
59	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
60	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
61	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
62	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
63	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
64	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
65	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
66	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
67	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
68	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
69	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
70	https://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840%40%3Ccvs.httpd.apache.org%3E
71	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
72	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
73	https://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7%40%3Ccvs.httpd.apache.org%3E
74	https://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6%40%3Ccvs.httpd.apache.org%3E
75	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
76	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
77	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

共通脆弱性一覧

CVE-2007-5809

概要	Cross-site scripting (XSS) vulnerability in Hitachi Web Server 01-00 through 03-10, as used by certain Cosminexus products, allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP requests that trigger creation of a server-status page.
公表日	2007年11月6日2:46
登録日	2021年1月29日14:23
最終更新日	2011年3月8日12:01

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:hitachi:cosminexus_application_server_enterprise::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_application_server_standard::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_light_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_professional_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_standard_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_server::::::::		04_01
cpe:2.3:a:hitachi:ucosminexus_application_server_enterprise::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_application_server_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_light::::::::		06_71_d
cpe:2.3:a:hitachi:ucosminexus_developer_professional::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_architect::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_platform::::::::		07_50_01
cpe:2.3:a:hitachi:web_server:01_00::hpux:::::
cpe:2.3:a:hitachi:web_server:01_00::solaris:::::
cpe:2.3:a:hitachi:web_server:01_01::aix:::::
cpe:2.3:a:hitachi:web_server:01_01::linux:::::
cpe:2.3:a:hitachi:web_server:01_01::turbolinux:::::
cpe:2.3:a:hitachi:web_server:01_01_d::linux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::hpux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::solaris:::::
cpe:2.3:a:hitachi:web_server:01_02_e::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::hpux:::::
cpe:2.3:a:hitachi:web_server:02_00::linux:::::
cpe:2.3:a:hitachi:web_server:02_00::solaris:::::
cpe:2.3:a:hitachi:web_server:02_00::turbolinux:::::
cpe:2.3:a:hitachi:web_server:02_00::windows:::::
cpe:2.3:a:hitachi:web_server:02_00_a::linux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_02::linux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::aix:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_04_b::solaris:::::
cpe:2.3:a:hitachi:web_server:02_04_b::windows:::::
cpe:2.3:a:hitachi:web_server:02_06_a::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::aix:::::
cpe:2.3:a:hitachi:web_server:03_00::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:03_00::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::windows:::::
cpe:2.3:a:hitachi:web_server:03_00_01::solaris:::::
cpe:2.3:a:hitachi:web_server:03_00_01::windows:::::

構成4	以上	以下	より上	未満
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.5:::::::*

構成1	以上	以下	より上	未満
cpe:2.3:a:hitachi:cosminexus_application_server_enterprise::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_application_server_standard::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_light_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_professional_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_developer_standard_version_6::::::::		06_51_j
cpe:2.3:a:hitachi:cosminexus_server::::::::		04_01
cpe:2.3:a:hitachi:ucosminexus_application_server_enterprise::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_application_server_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_light::::::::		06_71_d
cpe:2.3:a:hitachi:ucosminexus_developer_professional::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_developer_standard::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_architect::::::::		07_50_01
cpe:2.3:a:hitachi:ucosminexus_service_platform::::::::		07_50_01
cpe:2.3:a:hitachi:web_server:01_00::hpux:::::
cpe:2.3:a:hitachi:web_server:01_00::solaris:::::
cpe:2.3:a:hitachi:web_server:01_01::aix:::::
cpe:2.3:a:hitachi:web_server:01_01::linux:::::
cpe:2.3:a:hitachi:web_server:01_01::turbolinux:::::
cpe:2.3:a:hitachi:web_server:01_01_d::linux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::hpux:::::
cpe:2.3:a:hitachi:web_server:01_02_d::solaris:::::
cpe:2.3:a:hitachi:web_server:01_02_e::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::aix:::::
cpe:2.3:a:hitachi:web_server:02_00::hpux:::::
cpe:2.3:a:hitachi:web_server:02_00::linux:::::
cpe:2.3:a:hitachi:web_server:02_00::solaris:::::
cpe:2.3:a:hitachi:web_server:02_00::turbolinux:::::
cpe:2.3:a:hitachi:web_server:02_00::windows:::::
cpe:2.3:a:hitachi:web_server:02_00_a::linux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux:::::
cpe:2.3:a:hitachi:web_server:02_02::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_02::linux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::aix:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux:::::
cpe:2.3:a:hitachi:web_server:02_04_b::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:02_04_b::solaris:::::
cpe:2.3:a:hitachi:web_server:02_04_b::windows:::::
cpe:2.3:a:hitachi:web_server:02_06_a::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::aix:::::
cpe:2.3:a:hitachi:web_server:03_00::hpux\(ipf\):::::
cpe:2.3:a:hitachi:web_server:03_00::linux:::::
cpe:2.3:a:hitachi:web_server:03_00::windows:::::
cpe:2.3:a:hitachi:web_server:03_00_01::solaris:::::
cpe:2.3:a:hitachi:web_server:03_00_01::windows:::::

No	URL	refsource	タグ
1	http://osvdb.org/42027	OSVDB
2	http://secunia.com/advisories/27421	SECUNIA	Vendor Advisory
3	http://www.hitachi-support.com/security_e/vuls_e/HS07-035_e/index-e.html	CONFIRM
4	http://www.securityfocus.com/bid/26271	BID
5	http://www.vupen.com/english/advisories/2007/3666	VUPEN