[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities

Package: apache2
Version: 2.0.55-4
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-3918 reads:
http_protocol.c in (1) IBM HTTP Server 6.0 before and 6.1
before, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
header from an HTTP request when it is reflected back in an error
message, which might allow cross-site scripting (XSS) style attacks
using web client components that can send arbitrary headers in
requests, as demonstrated using a Flash SWF file.

Reply to: