http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.

The remote BIG-IP device is missing a patch required by a security advisory.

From Red Hat Security Advisory 2006:0619 :

Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server available for free.

A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918)

While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers.
If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible.

On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in the handling of malformed Expect headers, the page produced by the cross-site scripting attack will only be returned after a timeout expires (2-5 minutes by default) if not first canceled by the user.

Users of httpd should update to these erratum packages, which contain a backported patch to correct these issues.

Updated Apache httpd packages that correct a security issue are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server available for free.

A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918)

While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers.
If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible.

Users of Apache should upgrade to these updated packages, which contain a backported patch to correct this issue.

Red Hat Network Proxy Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Proxy Server components.

This update has been rated as having low security impact by the Red Hat Security Response Team.

The Red Hat Network Proxy Server 4.2.3 release corrects several security vulnerabilities in several shipped components. In a typical operating environment, these components are not exposed to users of Proxy Server in a vulnerable manner. These security updates will reduce risk in unique Proxy Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting or denial-of-service attack.
(CVE-2007-6388, CVE-2007-5000, CVE-2007-4465, CVE-2007-3304, CVE-2006-5752, CVE-2006-3918, CVE-2005-3352)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

Multiple flaws in mod_ssl. (CVE-2004-0488, CVE-2004-0700, CVE-2004-0885)

A denial-of-service flaw was fixed in the jabberd server.
(CVE-2006-1329)

Users of Red Hat Network Proxy Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.

This update fixes multiple bugs in apache :

  - cross-site scripting problem when processing the     'Expect' header. (CVE-2006-3918)

  - cross-site scripting problem in mod_imap.
    (CVE-2007-5000)

  - cross-site scripting problem in mod_status.
    (CVE-2007-6388)

  - cross-site scripting problem in the ftp proxy module.
    (CVE-2008-0005)

It was discovered that Apache did not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. This was only vulnerable in Ubuntu 6.06. (CVE-2006-3918)

It was discovered that when configured as a proxy server and using a threaded MPM, Apache did not properly sanitize its input. A remote attacker could send Apache crafted date headers and cause a denial of service via application crash. By default, mod_proxy is disabled in Ubuntu. (CVE-2007-3847)

It was discovered that mod_autoindex did not force a character set, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2007-4465)

It was discovered that mod_imap/mod_imagemap did not force a character set, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. By default, mod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000)

It was discovered that mod_status when status pages were available, allowed for cross-site scripting attacks. By default, mod_status is disabled in Ubuntu. (CVE-2007-6388)

It was discovered that mod_proxy_balancer did not sanitize its input, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. By default, mod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6421)

It was discovered that mod_proxy_balancer could be made to dereference a NULL pointer. A remote attacker could send a crafted request and cause a denial of service via application crash. By default, mod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6422)

It was discovered that mod_proxy_ftp did not force a character set, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. By default, mod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in the Apache, the worlds most popular webserver, which may lead to the execution of arbitrary web script. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-3352     A cross-site scripting (XSS) flaw exists in the mod_imap     component of the Apache server.

  - CVE-2006-3918     Apache does not sanitize the Expect header from an HTTP     request when it is reflected back in an error message,     which might allow cross-site scripting (XSS) style     attacks.

The remote web server fails to sanitize the contents of an 'Expect' request header before using it to generate dynamic web content.  An unauthenticated, remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially crafted ShockWave (SWF) files.

Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server available for free.

A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header. (CVE-2006-3918)

While a web browser cannot be forced to send an arbitrary Expect header by a third-party attacker, it was recently discovered that certain versions of the Flash plugin can manipulate request headers.
If users running such versions can be persuaded to load a web page with a malicious Flash applet, a cross-site scripting attack against the server may be possible.

On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in the handling of malformed Expect headers, the page produced by the cross-site scripting attack will only be returned after a timeout expires (2-5 minutes by default) if not first canceled by the user.

Users of httpd should update to these erratum packages, which contain a backported patch to correct these issues.

ID	Name	Product	Family	Severity
78212	F5 Networks BIG-IP : Apache HTTP Expect header handling (SOL6669)	Nessus	F5 Networks Local Security Checks	medium
67402	Oracle Linux 3 / 4 : httpd (ELSA-2006-0619)	Nessus	Oracle Linux Local Security Checks	medium
67036	CentOS 4 : apache (CESA-2006:0618)	Nessus	CentOS Local Security Checks	medium
63857	RHEL 3 / 4 : Proxy Server (RHSA-2008:0523)	Nessus	Red Hat Local Security Checks	high
41207	SuSE9 Security Update : Apache (YOU Patch Number 12125)	Nessus	SuSE Local Security Checks	medium
30184	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : apache2 vulnerabilities (USN-575-1)	Nessus	Ubuntu Local Security Checks	medium
22709	Debian DSA-1167-1 : apache - missing input sanitising	Nessus	Debian Local Security Checks	medium
22254	Web Server Expect Header XSS	Nessus	CGI abuses : XSS	medium
22224	RHEL 3 / 4 : httpd (RHSA-2006:0619)	Nessus	Red Hat Local Security Checks	medium
22207	CentOS 3 / 4 : httpd (CESA-2006:0619)	Nessus	CentOS Local Security Checks	medium
22202	RHEL 2.1 : apache (RHSA-2006:0618)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2006-3918

medium

Tenable Plugins

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium