CVE-2008-2168

Apache HTTP Server <= 2.2.6 - Cross-Site Scripting via UTF-7 Encoded URLs

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2168. PoCs published by Yaniv Miron.

AI-analyzed exploit summary This exploit leverages a UTF-7 charset handling weakness in Microsoft Internet Explorer to facilitate cross-site scripting (XSS) attacks. The PoC demonstrates how malformed input can bypass sanitization, allowing arbitrary script execution in the context of the victim's browser.

Description

Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Yaniv Miron · textremotewindows

https://www.exploit-db.com/exploits/31759

View Code ZIP pw:eip

This exploit leverages a UTF-7 charset handling weakness in Microsoft Internet Explorer to facilitate cross-site scripting (XSS) attacks. The PoC demonstrates how malformed input can bypass sanitization, allowing arbitrary script execution in the context of the victim's browser.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Internet Explorer (all versions)

No auth needed

Prerequisites: Victim must visit a crafted URL · Target browser must be Internet Explorer

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15

Core References

Third Party Advisory third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/3889

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/42303

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34219

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/491967/100/0/threaded

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5143

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=125631037611762&w=2

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31651

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=124654546101607&w=2

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/29112

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-731-1

Vendor Advisory vendor-advisory x_refsource_hp

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/491901/100/0/threaded

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/491862/100/0/threaded

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/491930/100/0/threaded

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35650

Scores

EPSS 0.5485

EPSS Percentile 98.9%

Details

CWE

CWE-79

Status published

Products (47)

apache/http_server

apache/http_server 2.0

apache/http_server 2.0.9

apache/http_server 2.0.28 (2 CPE variants)

apache/http_server 2.0.32 (2 CPE variants)

apache/http_server 2.0.34 beta

apache/http_server 2.0.35

apache/http_server 2.0.36

apache/http_server 2.0.37

apache/http_server 2.0.38

... and 37 more

Published May 13, 2008

Tracked Since Feb 18, 2026