JavaScript Disabled

We recommend that you change the JavaScript settings in your web browser.

In order to access certain pages and features of the Rapid7 site, JavaScript needs to be enabled. Please see this message on
How to enable JavaScript.

Once you have enabled JavaScript, reload the page.

Nexpose Vulnerability Database

Search Hints

Try searching for a product or vendor.
Only vulnerabilities that match all search terms will be returned.
Enclose search terms in double quotes for an exact search.
For CVE searches, only enter the CVE-YYYY-XXXX code.

Get Nexpose now

Search vulnerabilities with Rapid7's vulnerability management solution

FREE DOWNLOAD

Apache httpd Expect header Cross-Site Scripting (CVE-2006-3918)

Severity	CVSS	Published	Added	Modified
Severe (4)	4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)	Jul 27, 2006	Jul 27, 2006	Mar 2, 2011

Description:

A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.

Vulnerability Management

Get your solution now

FREE DOWNLOAD

References:

BID: http://www.securityfocus.com/bid/19661
CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3918
DEBIAN: http://www.debian.org/security/DSA-/DSA-1167
OVAL: http://oval.mitre.org/oval/definitions/data/OVAL10352.html
REDHAT: http://rhn.redhat.com/errata/RHSA-2006-0618.html
REDHAT: http://rhn.redhat.com/errata/RHSA-2006-0619.html
REDHAT: http://rhn.redhat.com/errata/RHSA-2006-0692.html
SECUNIA: http://secunia.com/advisories/21172/
SECUNIA: http://secunia.com/advisories/21174/
SECUNIA: http://secunia.com/advisories/21399/
SECUNIA: http://secunia.com/advisories/21478/
SECUNIA: http://secunia.com/advisories/21598/
SECUNIA: http://secunia.com/advisories/21744/
SECUNIA: http://secunia.com/advisories/21848/
SECUNIA: http://secunia.com/advisories/21986/
SECUNIA: http://secunia.com/advisories/22140/
SECUNIA: http://secunia.com/advisories/22317/
SECUNIA: http://secunia.com/advisories/22523/
SECUNIA: http://secunia.com/advisories/28749/
SECUNIA: http://secunia.com/advisories/29640/
SGI: ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P
SUSE: http://www.novell.com/linux/security/advisories.html
SUSE: http://www.novell.com/linux/security/advisories.html
URL: http://httpd.apache.org/security/vulnerabilities_13.html

Solution:

Apache >= 1.3 and < 1.4

Upgrade to Apache version 1.3.35

Download and apply the upgrade from: http://archive.apache.org/dist/httpd/apache_1.3.35.tar.gz

Many platforms and distributions provide pre-built binary packages for Apache. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Download Nexpose

Download our vulnerability management solution, Nexpose, for free today. Scan 100% of your infrastructure for vulnerabilities, understand your risk exposure, compare and prioritize your vulnerabilities and verify that they are remediated.

Previous Next