ID CVE-2006-3918
Summary http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 1.3
    cpe:2.3:a:apache:http_server:1.3
  • Apache Software Foundation Apache HTTP Server 1.3.1
    cpe:2.3:a:apache:http_server:1.3.1
  • cpe:2.3:a:apache:http_server:1.3.11:-:win32
    cpe:2.3:a:apache:http_server:1.3.11:-:win32
  • Apache Software Foundation Apache HTTP Server 1.3.12
    cpe:2.3:a:apache:http_server:1.3.12
  • cpe:2.3:a:apache:http_server:1.3.12:-:win32
    cpe:2.3:a:apache:http_server:1.3.12:-:win32
  • Apache Software Foundation Apache HTTP Server 1.3.17
    cpe:2.3:a:apache:http_server:1.3.17
  • Apache Software Foundation Apache HTTP Server 1.3.18
    cpe:2.3:a:apache:http_server:1.3.18
  • Apache Software Foundation Apache HTTP Server 1.3.19
    cpe:2.3:a:apache:http_server:1.3.19
  • Apache Software Foundation Apache HTTP Server 1.3.20
    cpe:2.3:a:apache:http_server:1.3.20
  • Apache Software Foundation Apache HTTP Server 1.3.22
    cpe:2.3:a:apache:http_server:1.3.22
  • Apache Software Foundation Apache HTTP Server 2.0
    cpe:2.3:a:apache:http_server:2.0
  • Apache Software Foundation Apache HTTP Server 2.0.57
    cpe:2.3:a:apache:http_server:2.0.57
  • Apache Software Foundation Apache HTTP Server 2.2
    cpe:2.3:a:apache:http_server:2.2
  • Apache Software Foundation Apache HTTP Server 2.2.1
    cpe:2.3:a:apache:http_server:2.2.1
  • IBM IBM HTTP Server 6.0
    cpe:2.3:a:ibm:http_server:6.0
  • IBM IBM HTTP Server 6.1
    cpe:2.3:a:ibm:http_server:6.1
CVSS
Base: 4.3 (as of 31-07-2006 - 15:50)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
exploit-db via4
description Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness. CVE-2006-3918. Remote exploit for linux platform
id EDB-ID:28424
last seen 2016-02-03
modified 2006-08-24
published 2006-08-24
reporter Thiago Zaninotti
source https://www.exploit-db.com/download/28424/
title Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness
nessus via4
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL6669.NASL
    description The remote BIG-IP device is missing a patch required by a security advisory.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78212
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78212
    title F5 Networks BIG-IP : Apache HTTP Expect header handling (SOL6669)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0618.NASL
    description Updated Apache httpd packages that correct a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server available for free. A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918) While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers. If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible. Users of Apache should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67036
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67036
    title CentOS 4 : apache (CESA-2006:0618)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0618.NASL
    description Updated Apache httpd packages that correct a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server available for free. A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918) While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers. If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible. Users of Apache should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22202
    published 2006-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22202
    title RHEL 2.1 : apache (RHSA-2006:0618)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0619.NASL
    description From Red Hat Security Advisory 2006:0619 : Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server available for free. A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918) While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers. If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible. On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in the handling of malformed Expect headers, the page produced by the cross-site scripting attack will only be returned after a timeout expires (2-5 minutes by default) if not first canceled by the user. Users of httpd should update to these erratum packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67402
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67402
    title Oracle Linux 3 / 4 : httpd (ELSA-2006-0619)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0619.NASL
    description Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server available for free. A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918) While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers. If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible. On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in the handling of malformed Expect headers, the page produced by the cross-site scripting attack will only be returned after a timeout expires (2-5 minutes by default) if not first canceled by the user. Users of httpd should update to these erratum packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22224
    published 2006-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22224
    title RHEL 3 / 4 : httpd (RHSA-2006:0619)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0619.NASL
    description Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server available for free. A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918) While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers. If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible. On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in the handling of malformed Expect headers, the page produced by the cross-site scripting attack will only be returned after a timeout expires (2-5 minutes by default) if not first canceled by the user. Users of httpd should update to these erratum packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22207
    published 2006-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22207
    title CentOS 3 / 4 : httpd (CESA-2006:0619)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0523.NASL
    description Red Hat Network Proxy Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Proxy Server components. This update has been rated as having low security impact by the Red Hat Security Response Team. The Red Hat Network Proxy Server 4.2.3 release corrects several security vulnerabilities in several shipped components. In a typical operating environment, these components are not exposed to users of Proxy Server in a vulnerable manner. These security updates will reduce risk in unique Proxy Server environments. Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting or denial-of-service attack. (CVE-2007-6388, CVE-2007-5000, CVE-2007-4465, CVE-2007-3304, CVE-2006-5752, CVE-2006-3918, CVE-2005-3352) A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349) Multiple flaws in mod_ssl. (CVE-2004-0488, CVE-2004-0700, CVE-2004-0885) A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329) Users of Red Hat Network Proxy Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.
    last seen 2019-02-21
    modified 2017-01-10
    plugin id 63857
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63857
    title RHEL 3 / 4 : Proxy Server (RHSA-2008:0523)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1167.NASL
    description Several remote vulnerabilities have been discovered in the Apache, the worlds most popular webserver, which may lead to the execution of arbitrary web script. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3352 A cross-site scripting (XSS) flaw exists in the mod_imap component of the Apache server. - CVE-2006-3918 Apache does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22709
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22709
    title Debian DSA-1167-1 : apache - missing input sanitising
  • NASL family CGI abuses : XSS
    NASL id WWW_EXPECT_XSS.NASL
    description The remote web server fails to sanitize the contents of an 'Expect' request header before using it to generate dynamic web content. An unauthenticated, remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially crafted ShockWave (SWF) files.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 22254
    published 2006-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22254
    title Web Server Expect Header XSS
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12125.NASL
    description This update fixes multiple bugs in apache : - cross-site scripting problem when processing the 'Expect' header. (CVE-2006-3918) - cross-site scripting problem in mod_imap. (CVE-2007-5000) - cross-site scripting problem in mod_status. (CVE-2007-6388) - cross-site scripting problem in the ftp proxy module. (CVE-2008-0005)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 41207
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41207
    title SuSE9 Security Update : Apache (YOU Patch Number 12125)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-575-1.NASL
    description It was discovered that Apache did not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. This was only vulnerable in Ubuntu 6.06. (CVE-2006-3918) It was discovered that when configured as a proxy server and using a threaded MPM, Apache did not properly sanitize its input. A remote attacker could send Apache crafted date headers and cause a denial of service via application crash. By default, mod_proxy is disabled in Ubuntu. (CVE-2007-3847) It was discovered that mod_autoindex did not force a character set, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2007-4465) It was discovered that mod_imap/mod_imagemap did not force a character set, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. By default, mod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000) It was discovered that mod_status when status pages were available, allowed for cross-site scripting attacks. By default, mod_status is disabled in Ubuntu. (CVE-2007-6388) It was discovered that mod_proxy_balancer did not sanitize its input, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. By default, mod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6421) It was discovered that mod_proxy_balancer could be made to dereference a NULL pointer. A remote attacker could send a crafted request and cause a denial of service via application crash. By default, mod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6422) It was discovered that mod_proxy_ftp did not force a character set, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. By default, mod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 30184
    published 2008-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30184
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : apache2 vulnerabilities (USN-575-1)
oval via4
  • accepted 2013-04-29T04:04:54.816-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
    family unix
    id oval:org.mitre.oval:def:10352
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
    version 23
  • accepted 2015-04-20T04:00:20.280-04:00
    class vulnerability
    contributors
    • name K, Balamurugan
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
    family unix
    id oval:org.mitre.oval:def:12238
    status accepted
    submitted 2011-02-01T12:25:58.000-05:00
    title HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)
    version 45
packetstorm via4
redhat via4
advisories
  • bugzilla
    id 200732
    title CVE-2006-3918 httpd: Expect header XSS
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhsa:tst:20060015001
      • OR
        • AND
          • comment httpd is earlier than 0:2.0.46-61.ent
            oval oval:com.redhat.rhsa:tst:20060619002
          • comment httpd is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619003
        • AND
          • comment httpd-devel is earlier than 0:2.0.46-61.ent
            oval oval:com.redhat.rhsa:tst:20060619004
          • comment httpd-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619005
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • OR
        • AND
          • comment httpd is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619007
          • comment httpd is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619003
        • AND
          • comment httpd-devel is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619012
          • comment httpd-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619005
        • AND
          • comment httpd-manual is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619010
          • comment httpd-manual is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619011
        • AND
          • comment mod_ssl is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619008
          • comment mod_ssl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619009
    rhsa
    id RHSA-2006:0619
    released 2006-08-10
    severity Moderate
    title RHSA-2006:0619: httpd security update (Moderate)
  • rhsa
    id RHSA-2006:0618
  • rhsa
    id RHSA-2006:0692
rpms
  • httpd-0:2.0.46-61.ent
  • httpd-devel-0:2.0.46-61.ent
  • httpd-0:2.0.52-28.ent
  • httpd-devel-0:2.0.52-28.ent
  • httpd-manual-0:2.0.52-28.ent
  • mod_ssl-0:2.0.52-28.ent
refmap via4
aixapar
  • PK24631
  • PK27875
bid 19661
bugtraq
  • 20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
  • 20060724 Write-up by Amit Klein: "Forging HTTP request headers with Flash"
confirm
debian DSA-1167
hp
  • HPSBOV02683
  • HPSBUX02465
  • HPSBUX02612
  • SSRT090192
  • SSRT090208
  • SSRT100345
openbsd [3.9] 012: SECURITY FIX: October 7, 2006
sectrack
  • 1016569
  • 1024144
secunia
  • 21172
  • 21174
  • 21399
  • 21478
  • 21598
  • 21744
  • 21848
  • 21986
  • 22140
  • 22317
  • 22523
  • 28749
  • 29640
  • 40256
sgi 20060801-01-P
sreason 1294
suse
  • SUSE-SA:2006:051
  • SUSE-SA:2008:021
ubuntu USN-575-1
vupen
  • ADV-2006-2963
  • ADV-2006-2964
  • ADV-2006-3264
  • ADV-2006-4207
  • ADV-2006-5089
  • ADV-2010-1572
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 1.3.35: http://httpd.apache.org/security/vulnerabilities_13.html
Last major update 05-11-2012 - 22:17
Published 27-07-2006 - 20:04
Last modified 10-10-2017 - 21:31
Back to Top