Bug#381381: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#381381: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
From: Stefan Fritsch <sf@sfritsch.de>
Date: Fri, 04 Aug 2006 00:32:34 +0200
Message-id: <[🔎] 20060803223234.17881.64076.reportbug@k.lan>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 381381@bugs.debian.org

Package: apache
Version: 1.3.34-2
Severity: grave
Tags: security
Justification: user security hole


CVE-2006-3918 reads:
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1
before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
header from an HTTP request when it is reflected back in an error
message, which might allow cross-site scripting (XSS) style attacks
using web client components that can send arbitrary headers in
requests, as demonstrated using a Flash SWF file.

Reply to:

Follow-Ups:
- Bug#381381: marked as done (CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Next by Date: Bug#353450: Small bug
Previous by thread: Re: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Next by thread: Bug#381381: marked as done (CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities)
Index(es):
- Date
- Thread