Red Hat Bugzilla – Bug 458250
CVE-2008-2939 httpd: mod_proxy_ftp globbing XSS
Last modified: 2016-03-04 06:52:13 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2939 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI.
This is low severity as it requires proxying to be enabled, mod_proxy-ftp to be
enabled to support ftp-over-httpd.
Release note added. If any revisions are required, please set the
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.
A flaw was found in the mod_proxy_ftp module. Where Apache is configured to support ftp-over-httpd proxying, a remote attacker could perform a cross-site scripting attack. (CVE-2008-2939)
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
This issue has been addressed in Red Hat Enterprise Linux 3, 4 and 5. For more information see: