CVE-2008-1544 - Secunia Advisories - Vulnerability Information

CVE Reference: CVE-2008-1544
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2008-1544

Description: The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 5.01, 6, and 7 does not block dangerous HTTP request headers when certain 8-bit character sequences are appended to a header name, which allows remote attackers to (1) conduct HTTP request splitting and HTTP request smuggling attacks via an incorrect Content-Length header, (2) access arbitrary virtual hosts via a modified Host header, (3) bypass referrer restrictions via an incorrect Referer header, and (4) bypass the same-origin policy and obtain sensitive information via a crafted request header.

CVE Status: Candidate

References: ST 1020226 SREASON http://securityreason.com/securityalert/3785 SAID Secunia Advisory: SA29453 OVAL http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5291 MS http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx MISC http://www.mindedsecurity.com/MSA02240108.html HP http://marc.info/?l=bugtraq&m=121380194923597&w=2 CERT http://www.us-cert.gov/cas/techalerts/TA08-162B.html BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/489954/100/0/threaded BID 28379

Return to the previous page.