mod_autoindex in httpd contains a cross site scripting flaw via the P query option. More information can be found in the original vulnerability report here: http://www.securityfocus.com/archive/1/479237/30/0/threaded
Joe, Can you comment on this, should this flaw be rated as having low severity?
Joe says this should be low, so low it is.
According to NVD: Official Statement from Apache (9/14/2007) The Apache security team believe that this issue is due to web browsers that are violating RFC2616. However, Apache 2.2.6 and 2.0.61 add a workaround for such browsers by adding Type and Charset options to IndexOptions directive. This allows a site administrator to explicitly set the content-type and charset of the generated directory index page.
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465)
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html