Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 175602 - CVE-2005-3352 cross-site scripting flaw in mod_imap
CVE-2005-3352 cross-site scripting flaw in mod_imap
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: httpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
: Security
Depends On:
Blocks: CVE-2005-3352
  Show dependency treegraph
Reported: 2005-12-13 04:04 EST by Mark J. Cox
Modified: 2008-01-28 11:25 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2006-0159
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-05 10:55:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 37874 None None None Never
Red Hat Product Errata RHSA-2006:0159 normal SHIPPED_LIVE Moderate: httpd security update 2006-01-05 00:00:00 EST

  None (edit)
Description Mark J. Cox 2005-12-13 04:04:20 EST
From http://issues.apache.org/bugzilla/show_bug.cgi?id=37874


A flaw in the imagemap processing module, mod_imap, in versions of Apache httpd
1.3, 2.0 and 2.2 can in some circumstances cause the referer header to be output
without being escaped in HTML.  This could allow an attacker who is able to
influence the referer header the ability to do cross-site scripting attacks
against sites using mod_imap in a vulnerable configuration.


moderate (http://httpd.apache.org/security/impact_levels.html)


This flaw only affects sites using mod_imap with a map file that contains the
"referer" directive.

In order to exploit this flaw the attacker would need to control the  referer
header and therefore would need to entice a victim to visit a URL under the
attackers control.

A sucessful cross-site scripting attack using this flaw would be limited to
certain browsers.  Firefox and Mozilla browsers for example already escape
suspect characters in a URL which blocks this from being exploited.


The attached patch ensures that the referer header in mod_imap is escaped and
therefore cannot be used as part of a cross-site scripting attack.

Where this patch cannot be used, a temporary solution is to remove the "referer"
directive from any map files.


I was able to verify this by constructing a victim site with a vulnerable
mod_imap configuration and by constructing a set of scripts on the attacker
site.  When the attackers site was visited using the Internet Explorer browser
it was able to steal the users private cookies from the victim site.

Patches available at the above URL
Affects RHEL4, RHEL3, RHEL2.1
Comment 4 Red Hat Bugzilla 2006-01-05 10:55:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.