CVE-2008-0455

Priority
Description
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in
the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and
earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series
allows remote authenticated users to inject arbitrary web script or HTML by
uploading a file with a name containing XSS sequences and a file extension,
which leads to injection within a (1) "406 Not Acceptable" or (2) "300
Multiple Choices" HTTP response when the extension is omitted in a request
for the file.
Notes
 mdeslaur> Doesn't appear to be fixed by upstream or by vendors as of 2009-02-23
 mdeslaur> Need to be able to create a file with a special filename. If you can
 mdeslaur> do that, you can put the XSS directly in the file...so this isn't
 mdeslaur> really a security issue.
 mdeslaur> See: http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/%3CFDD5D99066749040AF9098A720E98977080B7263@CIWMEXZSA0E.ex.ordersx.org%3E
Assigned-to
mdeslaur
Package
Upstream:not-affected (1.3.39)
Package
Upstream:not-affected (2.2.6, 2.0.61)
More Information

Updated: 2019-03-26 12:28:01 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)