[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities

Hi, how is it going?

The same bug was fixed in apache 1.3.34(#381381) on 15 Aug 2006,
but not fixed in apache 2.0.55(#381376).

I hope it will be fixed as soon as possible.
Out customers worry about it.

Thanks in advance.
Kazu Nambo


From: sf@sfritsch.de
Subject: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Date: Fri, 04 Aug 2006 00:21:15 +0200

> Package: apache2
> Version: 2.0.55-4
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> CVE-2006-3918 reads:
> http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1
> before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
> before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
> header from an HTTP request when it is reflected back in an error
> message, which might allow cross-site scripting (XSS) style attacks
> using web client components that can send arbitrary headers in
> requests, as demonstrated using a Flash SWF file.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: