CVE-2008-0455

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 1.3.39 and earlier, 2.0.61 and earlier, 2.2.6 and earlier

Description A cross-site scripting (XSS) issue exists in the mod negotiation module, allowing remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension. This leads to injection within a "406 Not Acceptable" or "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Recommendations For Apache HTTP Server versions 1.3.39 and earlier, 2.0.61 and earlier, 2.2.6 and earlier, consider disabling the mod negotiation module until a patch is available to prevent exploitation of this issue. Restrict access to file uploads to minimize the risk of arbitrary web script or HTML injection. Avoid using file extensions in requests for files uploaded with potentially malicious names.