Hi, how is it going? The same bug was fixed in apache 1.3.34(#381381) on 15 Aug 2006, but not fixed in apache 2.0.55(#381376).
I hope it will be fixed as soon as possible. Out customers worry about it. Thanks in advance. Kazu Nambo From: [EMAIL PROTECTED] Subject: Bug#381376: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities Date: Fri, 04 Aug 2006 00:21:15 +0200 > Package: apache2 > Version: 2.0.55-4 > Severity: grave > Tags: security > Justification: user security hole > > CVE-2006-3918 reads: > http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 > before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 > before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect > header from an HTTP request when it is reflected back in an error > message, which might allow cross-site scripting (XSS) style attacks > using web client components that can send arbitrary headers in > requests, as demonstrated using a Flash SWF file. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
