Apache2 Undefined Charset UTF-7 XSS Vulnerability?

Well, first up it's only going to affect you if you are using the mod_autoindex If you're not then you can stop reading now as there is no vulnerability on code you're running (though ideally, don't start using this module until you've updated the server) Otherwise, it seems that an attacker can exploit the fact that the character set is not explicitly set to embed their own script into a page given a particularly crafted URL. This URL would use the "P" parameter in order to specify a filter for the autoindexing; an example exploit has understandably not been given but presumably certain clever manipulating of text would allow the attacker to insert their own Javascript onto the returned page Hence it's a standard XSS attack (read the link if you're not familiar with the ramifications) I would strongly suggest that you do upgrade, if you're affected, in order to get full security. Taking a website down for a while for security upgrades should be understood by its users, and it's much better than suffering an exploit.

However, a workaround in the meantime would be to strip out any P parameters from incoming requests (assuming that no other pages on your site accept such a parameter, and that no other pages rely on passing filters to autoindexed pages), or even just disable the autoindexing mod altogether.

Well, first up it's only going to affect you if you are using the mod_autoindex. If you're not then you can stop reading now as there is no vulnerability on code you're running (though ideally, don't start using this module until you've updated the server). Otherwise, it seems that an attacker can exploit the fact that the character set is not explicitly set to embed their own script into a page given a particularly crafted URL.

This URL would use the "P" parameter in order to specify a filter for the autoindexing; an example exploit has understandably not been given but presumably certain clever manipulating of text would allow the attacker to insert their own Javascript onto the returned page. Hence it's a standard XSS attack (read the link if you're not familiar with the ramifications). I would strongly suggest that you do upgrade, if you're affected, in order to get full security.

Taking a website down for a while for security upgrades should be understood by its users, and it's much better than suffering an exploit. However, a workaround in the meantime would be to strip out any P parameters from incoming requests (assuming that no other pages on your site accept such a parameter, and that no other pages rely on passing filters to autoindexed pages), or even just disable the autoindexing mod altogether.

Thanks, you are right -- but it didn't help the server pass the Vulnerability assessment test, so upgraded it. – Mohit Nanda Feb 10 '09 at 7:15.

I ended up updating to Apache 2.2.11! However, dtsazza's answer was right, but MY VA testing team wouldn't buy it. :).

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.