Apache 2.x version older than 2.2.8

Description
  • <div class="bb-coolbox"><span class="bb-dark">This alert was generated using only banner information. It may be a false positive. </span></div><br/><strong>Fixed in Apache httpd 2.2.8:</strong><br/><ul> <li> <strong>low</strong>: mod_proxy_ftp UTF-7 XSS CVE-2008-0005<br/> A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. </li> <li> <strong>low</strong>: mod_proxy_balancer DoS CVE-2007-6422<br/> A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. </li> <li> <strong>low</strong>: mod_proxy_balancer XSS CVE-2007-6421<br/> A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible. </li> <li> <strong>moderate</strong>: mod_status XSS CVE-2007-6388<br/> A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available. </li> <li> <strong>moderate</strong>: mod_imagemap XSS CVE-2007-5000<br/> A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible. </li> </ul><br/> <span class="bb-navy">Affected Apache versions (up to 2.2.6).</span><br/>
Remediation
  • Upgrade Apache 2.x to the latest version.
References