19 July 2009
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2009.1017 Flaws in Hitachi Web server 20 July 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hitachi Web server Operating System: Linux variants HP-UX Windows AIX Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Upgrade Member content until: Wednesday, August 19 2009 OVERVIEW Two vulnerabilities identified in Hitachi Web server have been corrected by the vendor. IMPACT A cross site scripting vulnerability can be exploited when a Hitachi Web Server automatically creates a server status page in response to a request containing malicious scripts, potentially allowing for those scripts to be executed on a client.  An invalid response from a remote backend server may cause a Hitachi Web Server to experience a denial of service if the system uses the reverse proxy function.  MITIGATION The vendor recommends upgrading to the appropriate version. [1, 2] REFERENCES  Cross-Site Scripting Vulnerability in Hitachi Web Server Function for Creating Server-Status Pages http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS07-035/index.html  Vulnerability When Using a Reverse Proxy Function of Hitachi Web Server http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS07-039/index.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKY+6yNVH5XJJInbgRAvHmAKCGXhRvPnN+56S0doVZkxRuFIYEZACcCSCR wmI31LR+cg5mdzxFn1aLcro= =CiPr -----END PGP SIGNATURE-----