Apache "Expect" Header Cross-Site Scripting Vulnerability

To: debian-apache@lists.debian.org
Subject: Apache "Expect" Header Cross-Site Scripting Vulnerability
From: nambo.kazu@oss.ntt.co.jp
Date: Wed, 02 Aug 2006 20:10:12 +0900 (JST)
Message-id: <[🔎] 20060802.201012.44298664.knambo@oss.ntt.co.jp>

Hi, experts.

I noticed Secunia reports a XSS vulnerability.
  http://secunia.com/advisories/21172/

Apache community already corrected this one, but originally
they did not treat a security flaw.
  http://svn.apache.org/viewvc?view=rev&revision=394965

In the Secunia Advisory, it seems Amit Klein shows that
this can be exploited via a specially crafted Flash file.
They also provide a Test Case.
  http://secunia.com/expect_header_cross-site_scripting_vulnerability_test/

Redhat seems to provide a security update.
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200732

Is it important?

Kazu Nambo

Reply to:

Prev by Date: Bug#381095: apache: considers local configuration file as its own
Next by Date: Bug#358543: apache: fails to install
Previous by thread: Bug#381095: apache: considers local configuration file as its own
Next by thread: Bug#358543: apache: fails to install
Index(es):
- Date
- Thread