Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222123 - www-servers/apache 403 Error page UTF-7 XSS (CVE-2008-2168)
Summary: www-servers/apache 403 Error page UTF-7 XSS (CVE-2008-2168)
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL:
Whiteboard: A4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-14 18:08 UTC by Robert Buchholz (RETIRED)
Modified: 2008-06-09 23:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 18:08:17 UTC 
CVE-2008-2168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2168):
  Cross-site scripting (XSS) vulnerability Apache 2.2.6 and earlier allows
  remote attackers to inject arbitrary web script or HTML via UTF-7 encoded
  URLs that are not properly handled when displaying the 403 Forbidden error
  page.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-06-09 23:31:16 UTC 
Following argumentation by Apache [1], RedHat [2] and other researchers [3], closing this bug as INVALID.

[1] "The Apache security team state that this issue is due to web browsers that are violating RFC2616 and is not a flaw in the Apache HTTPD Server."

[2] "This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2168"

[3] http://www.securityfocus.com/archive/1/493207