CVE-2008-0005

Name of the Vulnerable Software and Affected Versions Apache versions 1.3.x before 1.3.40-dev Apache versions 2.0.x before 2.0.62-dev Apache versions 2.2.x before 2.2.7-dev

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding because mod proxy ftp does not define a charset. This can be exploited against Web browsers that do not correctly derive the response character set following the rules in RFC 2616.

Recommendations For Apache versions 1.3.x before 1.3.40-dev, update to version 1.3.40-dev or later to resolve the issue. For Apache versions 2.0.x before 2.0.62-dev, update to version 2.0.62-dev or later to resolve the issue. For Apache versions 2.2.x before 2.2.7-dev, update to version 2.2.7-dev or later to resolve the issue. As a temporary workaround, consider disabling the mod proxy ftp module on sites where it is enabled and a forward proxy is configured to minimize the risk of cross-site scripting attacks.