Apache httpd Expect header Cross-Site Scripting (CVE-2006-3918)
|4||(AV:N/AC:M/Au:N/C:N/I:P/A:N)||July 26, 2006||July 26, 2006||December 03, 2013|
The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can influence the Expect header, for example using Flash. Review your Web server configuration for validation.
A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.
Free Nexpose Download
Discover, prioritize, and remediate security risks today!
- URL: http://httpd.apache.org/security/vulnerabilities_13.html
- SUSE-SA:2006:051: Apache2 security problems
- RHSA-2008:0523: Red Hat Network Proxy Server security update
- ELSA-2006:0619 Moderate httpd security update
- RHSA-2010:0602: Red Hat Certificate System 7.3 security update
- CESA-2006:0619: httpd security update
- Missing Oracle Critical Patch Update (CPU) for October 2006
- SUSE-SA:2008:021: Apache,Apache2 security problems
- USN-575-1: Apache vulnerabilities
- Apache HTTPD: Expect header Cross-Site Scripting (CVE-2006-3918)
- RHSA-2006:0618: apache security update
- SUSE Linux Security Advisory: SUSE-SA:2008:021
- CESA-2006:0618: apache security update
- RHSA-2006:0619: httpd security update