Published:2007/12/13  Last Updated:2015/10/21

JVN#80057925
Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap"

Overview

mod_imap and mod_imagemap modules of the Apache HTTP Server are vulnerable to cross-site scripting.

Products Affected

  • Apache HTTP Server 2.2.6 and earlier
  • Apache HTTP Server 2.0.61 and earlier
  • Apache HTTP Server 1.3.39 and earlier
For details, see the information provided by the vendors.

Description

The Apache HTTP Server is open source web server software. The Apache HTTP Server modules mod_imap and mod_imagemap provide server-side imagemap processing capability.
The Apache HTTP Server modules mod_imap and mod_imagemap are vulnerable to cross-site scripting.

Impact

An arbitrary script can be executed on the user's web browser.

Solution

Apply the Patch
Apply the appropriate patches according to the information provided by the vendors.\n\n

Vendor Status

Vendor Status Last Update Vendor Notes
Canon Inc. Not Vulnerable 2008/08/20
centurysys Not Vulnerable, investigating 2007/12/13
FUJITSU LIMITED Vulnerable 2015/10/13
hitachi Vulnerable 2007/12/13
NEC Corporation Vulnerable 2009/07/08

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

HIRT (Hitachi Incident Response Team) reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2007-5000
JVN iPedia JVNDB-2007-000819

Update History

2008/05/21
JVN English site opened and the first English advisory of this issue was published.
2008/08/20
Canon Inc. updated its status under the section "Vendor Status".
2014/10/27
FUJITSU LIMITED update status
2015/10/21
FUJITSU LIMITED update status