Re: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Hi, how is it going?
The same bug was fixed in apache 1.3.34(#381381) on 15 Aug 2006,
but not fixed in apache 2.0.55(#381376).
I hope it will be fixed as soon as possible.
Out customers worry about it.
Thanks in advance.
Subject: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Date: Fri, 04 Aug 2006 00:21:15 +0200
> Package: apache2
> Version: 2.0.55-4
> Severity: grave
> Tags: security
> Justification: user security hole
> CVE-2006-3918 reads:
> http_protocol.c in (1) IBM HTTP Server 6.0 before 18.104.22.168 and 6.1
> before 22.214.171.124, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
> before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
> header from an HTTP request when it is reflected back in an error
> message, which might allow cross-site scripting (XSS) style attacks
> using web client components that can send arbitrary headers in
> requests, as demonstrated using a Flash SWF file.
> To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org