Apache 2.x version older than 2.2.8

Description
This alert was generated using only banner information. It may be a false positive.


Fixed in Apache httpd 2.2.8:

  • low: mod_proxy_ftp UTF-7 XSS CVE-2008-0005
    A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.
  • low: mod_proxy_balancer DoS CVE-2007-6422
    A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.
  • low: mod_proxy_balancer XSS CVE-2007-6421
    A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.
  • moderate: mod_status XSS CVE-2007-6388
    A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
  • moderate: mod_imagemap XSS CVE-2007-5000
    A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.


Affected Apache versions (up to 2.2.6).

Impact
Check references for details about every vulnerability.

Recommendation
Upgrade Apache 2.x to the latest version.

References
Apache homepage
Apache httpd 2.2 vulnerabilities