Nortel Response to Apache 1.3 and 2.0 Web Server Daemon Vulnerabilities
| Description: |
Before taking any action please ensure that you are viewing the latest official version of this security advisory by referencing http://www.nortel.com/securityadvisories Apache has recently provided fixes for the following issue: "Security Vulnerabilities in the Apache 1.3 and 2.0 Web Server Daemon and "mod_status" Module May Lead to Cross Site Scripting (XSS) or Denial of Service (DoS)." Some Nortel products contain this software as a component and thus are potentially affected by the vulnerabilities addressed. This bulletin provides a multi-product consolidated response for the Nortel products which are potentially affected. Following is a detailed description of the vulnerability: A vulnerability was reported in Apache mod_status. A remote user can conduct cross-site scripting attacks. The mod_status module does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Apache software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The impact is that a remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Apache software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. |
| Type: |
Security Advisories |
| Number: |
2008008602, Rev 1 |
| Status: |
Retired |
| Date: |
2008-08-29 |
