Does anyone have an idea how can I fix this vulnerability in Apache 2.2.4, without upgrading the Web Server?
This is what I found about it on the net at SecurityReason. The fix suggested by them is to upgrade it to version 2.2.6. But the server is live and upgrading t is the last resort.
Apache2 XSS Undefined Charset UTF-7 XSS Vulnerability
The XSS(UTF7) exist in mod_autoindex.c . Charset is not defined and we can provide XSS attack using ‘P’ option available in apache 2.2.4 by setting Charset to UTF-7.
‘P=pattern lists only files matching the given pattern’
Please suggest a solution for this.
Well, first up it’s only going to affect you if you are using the mod_autoindex. If you’re not then you can stop reading now as there is no vulnerability on code you’re running (though ideally, don’t start using this module until you’ve updated the server).
Otherwise, it seems that an attacker can exploit the fact that the character set is not explicitly set to embed their own script into a page given a particularly crafted URL. This URL would use the ‘P’ parameter in order to specify a filter for the autoindexing; an example exploit has understandably not been given but presumably certain clever manipulating of text would allow the attacker to insert their own Javascript onto the returned page.
Hence it’s a standard XSS attack (read the link if you’re not familiar with the ramifications).
I would strongly suggest that you do upgrade, if you’re affected, in order to get full security. Taking a website down for a while for security upgrades should be understood by its users, and it’s much better than suffering an exploit. However, a workaround in the meantime would be to strip out any P parameters from incoming requests (assuming that no other pages on your site accept such a parameter, and that no other pages rely on passing filters to autoindexed pages), or even just disable the autoindexing mod altogether.