CVE Reference: CVE-2006-3918

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2006-3918

Description:
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.

CVE Status:
Candidate

References:

UBUNTU
  http://www.ubuntu.com/usn/usn-575-1

SUSE
  http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html
  http://www.novell.com/linux/security/advisories/2006_51_apache.html

ST
  1016569
  1024144

SREASON
  http://securityreason.com/securityalert/1294

SGI

SAID
  Secunia Advisory: SA28749
  Secunia Advisory: SA22317
  Secunia Advisory: SA22523
  Secunia Advisory: SA21986
  Secunia Advisory: SA22140
  Secunia Advisory: SA21598
  Secunia Advisory: SA21744
  Secunia Advisory: SA21848
  Secunia Advisory: SA21399
  Secunia Advisory: SA21478
  Secunia Advisory: SA21174
  Secunia Advisory: SA21172
  Secunia Advisory: SA40256
  Secunia Advisory: SA29640

REDHAT
  http://rhn.redhat.com/errata/RHSA-2006-0692.html
  http://www.redhat.com/support/errata/RHSA-2006-0619.html
  http://rhn.redhat.com/errata/RHSA-2006-0618.html

OVAL
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:12238
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10352

OPENBSD
  http://openbsd.org/errata.html#httpd2

HP
  http://marc.info/?l=bugtraq&m=129190899612998&w=2
  http://marc.info/?l=bugtraq&m=130497311408250&w=2
  http://marc.info/?l=bugtraq&m=125631037611762&w=2

DEBIAN
  http://www.debian.org/security/2006/dsa-1167

CONFIRM
  http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html
  http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html
  http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117
  http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm
  http://svn.apache.org/viewvc?view=rev&revision=394965

BUGTRAQ
  http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html
  http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html

BID
  19661

AIXAPAR
  http://www-1.ibm.com/support/docview.wss?uid=swg24013080
  http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631


Return to the previous page.