VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 6, 2008· Updated Apr 23, 2026

CVE-2008-2939

CVE-2008-2939

Description

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Apache mod_proxy_ftp allows remote attackers to inject arbitrary web script via a wildcard in an FTP URI path.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the proxy_ftp.c file of the mod_proxy_ftp module in Apache HTTP Server. The flaw is triggered when a wildcard (*) is used in the last directory component of the pathname in an FTP URI. This affects Apache 2.0.63 and earlier, and Apache 2.2.9 and earlier 2.2.x versions. The module must be enabled and configured to support FTP-over-HTTP proxying for the attack to be possible [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to an Apache proxy server that includes an FTP URI containing a wildcard in the final directory component. No authentication is required, and the attack can be performed remotely. The crafted request causes the mod_proxy_ftp module to generate an error response that includes the unsanitized wildcard, leading to the injection of arbitrary HTML and script code [2].

Impact

Successful exploitation allows a remote attacker to inject arbitrary web script or HTML into the proxy server's response. This cross-site scripting (XSS) attack can be used to steal session cookies, deface web pages, or perform other malicious actions in the context of the affected proxy server's domain [1][2].

Mitigation

Apache has addressed this vulnerability in versions 2.0.64 and 2.2.10. Red Hat provided backported patches in RHSA-2008-0967 for Red Hat Enterprise Linux 3, 4, and 5 [2]. Apple included the fix in Security Update 2009-002 for Mac OS X v10.5.7 [1]. HP released updates for HP-UX Apache-based Web Server versions before v2.2.8.05 and v2.0.59.12 [3][4]. If upgrading is not immediately possible, disabling the mod_proxy_ftp module or restricting proxy access can serve as a workaround.

References
  1. About the security content of Security Update 2009-002 / Mac OS X v10.5.7 - Apple Support
  2. http://rhn.redhat.com/errata/RHSA-2008-0967.html
  3. '[security bulletin] HPSBUX02465 SSRT090192 rev.1 - HP-UX Running Apache-based Web Server, Remote Den'
  4. '[security bulletin] HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Den'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Apache/HTTP Server
    cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
    Range: <=2.0.63
  • Apple Inc./Mac Os X
    cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
    Range: <=10.5.6
  • Canonical/Ubuntu Linux3 versions
    cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*+ 2 more
    • cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*
  • OpenSUSE/openSUSE3 versions
    cpe:2.3:o:opensuse:opensuse:10.2:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:opensuse:opensuse:10.2:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:10.3:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:11.0:*:*:*:*:*:*:*
  • osv-coords
    pkg:rpm/opensuse/apache2&distro=openSUSE%20Tumbleweed
    Range: < 2.4.49-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

62

News mentions

0

No linked articles in our index yet.