mod_autoindex in httpd contains a cross site scripting flaw via the P query option.
More information can be found in the original vulnerability report here:
Can you comment on this, should this flaw be rated as having low severity?
Joe says this should be low, so low it is.
According to NVD:
Official Statement from Apache (9/14/2007)
The Apache security team believe that this issue is due to web browsers that are
However, Apache 2.2.6 and 2.0.61 add a workaround for such browsers by adding
Type and Charset options to IndexOptions directive. This allows a site
administrator to explicitly set the content-type and charset of the generated
directory index page.
A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the AddDefaultCharset directive has been removed
from the configuration, a cross-site-scripting attack may be possible
against browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html