Descriptionhttp_protocol.c in (1) IBM HTTP Server 6.0 before 126.96.36.199 and 6.1 before 188.8.131.52, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
SUSE Security Advisories:
- SUSE-SA:2006:051, published Fri, 08 Sep 2006 16:00:00 +0000
- SUSE-SA:2008:021, published Fri, 04 Apr 2008 16:00:00 +0000
SUSE Timeline for this CVECVE page created: Fri Jun 28 05:08:09 2013
CVE page last modified: Fri Oct 7 12:45:34 2022