CVE-2007-4465

Publication date 14 September 2007

Last updated 24 July 2024

Ubuntu priority

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apache2	7.10 gutsy	Fixed 2.2.4-3ubuntu0.1
	7.04 feisty	Fixed 2.2.3-3.2ubuntu2.1
	6.10 edgy	Fixed 2.0.55-4ubuntu4.2
	6.06 LTS dapper	Fixed 2.0.55-4ubuntu2.3

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

redhat has patch for all of there releases now

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-575-1
Apache vulnerabilities
4 February 2008

Other references

https://rhn.redhat.com/errata/RHSA-2007-0911.html
https://www.cve.org/CVERecord?id=CVE-2007-4465