Apache 2.x version older than 2.0.63

Description
This alert was generated using only banner information. It may be a false positive.


Fixed in Apache httpd 2.0.63:

  • low: mod_proxy_ftp UTF-7 XSS CVE-2008-0005
    A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.
  • moderate: mod_status XSS CVE-2007-6388
    A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
  • moderate: mod_imap XSS CVE-2007-5000
    A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.


Affected Apache versions (up to 2.0.62).

Impact
Check references for details about every vulnerability.

Recommendation
Upgrade Apache 2.x to the latest version.

References
Apache homepage
Apache HTTP Server 2.x announcement