| VMware Security Response |
| CVE identifier |
CVE-2006-3918 |
| Synopsis |
Possible cross-site scripting exploit in Apache using Expect
headers, seen in Flash SWF file |
| CVE URL |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
|
| Response issued on |
December 19, 2006 |
| Response updated on |
December 20, 2006 |
Relevant Release
ESX Server versions
-
2.0.2
-
2.1.3
-
2.5.3
-
2.5.4
-
2.5.5
-
3.0.0
-
3.0.1
Problem Description
CVE-2006-3918 reports the following issue:
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and
6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35,
2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the
Expect header from an HTTP request when it is reflected back in an
error message, which might allow cross-site scripting (XSS) style
attacks using web client components that can send arbitrary headers
in requests, as demonstrated using a Flash SWF file.
Red Hat security advisories RHSA-2006:0618-01
and RHSA-2006:0619-01 report the issue as:
A bug was found in Apache where an invalid Expect
header sent to the server was returned to the user in an unescaped
error message. This could allow an attacker to perform a cross-site
scripting attack if a victim was tricked into connecting to a site
and sending a carefully crafted Expect header.
(CVE-2006-3918)
While a web browser cannot be forced to send an arbitrary Expect
header by a third-party attacker, it was recently discovered that
certain versions of the Flash plugin can manipulate request
headers. If users running such versions can be persuaded to load a
web page with a malicious Flash applet, a cross-site scripting
attack against the server may be possible.
| 
