ID CVE-2006-3918
Summary http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.11:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.11:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.12:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.12:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:http_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:http_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ibm:http_server:6.1:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:http_server:6.1:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 11-10-2017 - 01:31)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
oval via4
  • accepted 2013-04-29T04:04:54.816-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
    family unix
    id oval:org.mitre.oval:def:10352
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
    version 23
  • accepted 2015-04-20T04:00:20.280-04:00
    class vulnerability
    contributors
    • name K, Balamurugan
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
    family unix
    id oval:org.mitre.oval:def:12238
    status accepted
    submitted 2011-02-01T12:25:58.000-05:00
    title HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)
    version 45
redhat via4
advisories
  • bugzilla
    id 200732
    title CVE-2006-3918 httpd: Expect header XSS
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhba:tst:20070026001
      • OR
        • AND
          • comment httpd is earlier than 0:2.0.46-61.ent
            oval oval:com.redhat.rhsa:tst:20060619002
          • comment httpd is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619003
        • AND
          • comment httpd-devel is earlier than 0:2.0.46-61.ent
            oval oval:com.redhat.rhsa:tst:20060619004
          • comment httpd-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619005
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment httpd is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619007
          • comment httpd is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619003
        • AND
          • comment httpd-devel is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619012
          • comment httpd-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619005
        • AND
          • comment httpd-manual is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619010
          • comment httpd-manual is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619011
        • AND
          • comment mod_ssl is earlier than 0:2.0.52-28.ent
            oval oval:com.redhat.rhsa:tst:20060619008
          • comment mod_ssl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060619009
    rhsa
    id RHSA-2006:0619
    released 2006-08-10
    severity Moderate
    title RHSA-2006:0619: httpd security update (Moderate)
  • rhsa
    id RHSA-2006:0618
  • rhsa
    id RHSA-2006:0692
rpms
  • httpd-0:2.0.46-61.ent
  • httpd-devel-0:2.0.46-61.ent
  • httpd-0:2.0.52-28.ent
  • httpd-devel-0:2.0.52-28.ent
  • httpd-manual-0:2.0.52-28.ent
  • mod_ssl-0:2.0.52-28.ent
refmap via4
aixapar
  • PK24631
  • PK27875
bid 19661
bugtraq
  • 20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
  • 20060724 Write-up by Amit Klein: "Forging HTTP request headers with Flash"
confirm
debian DSA-1167
hp
  • HPSBOV02683
  • HPSBUX02465
  • HPSBUX02612
  • SSRT090192
  • SSRT090208
  • SSRT100345
openbsd [3.9] 012: SECURITY FIX: October 7, 2006
sectrack
  • 1016569
  • 1024144
secunia
  • 21172
  • 21174
  • 21399
  • 21478
  • 21598
  • 21744
  • 21848
  • 21986
  • 22140
  • 22317
  • 22523
  • 28749
  • 29640
  • 40256
sgi 20060801-01-P
sreason 1294
suse
  • SUSE-SA:2006:051
  • SUSE-SA:2008:021
ubuntu USN-575-1
vupen
  • ADV-2006-2963
  • ADV-2006-2964
  • ADV-2006-3264
  • ADV-2006-4207
  • ADV-2006-5089
  • ADV-2010-1572
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 1.3.35: http://httpd.apache.org/security/vulnerabilities_13.html
Last major update 11-10-2017 - 01:31
Published 28-07-2006 - 00:04
Back to Top