Vulnerability Name: CVE-2006-3918 (CCN-28620) Assigned: 2006-05-08 Published: 2006-05-08 Updated: 2021-06-06 Summary: http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. CVSS v3 Severity: 4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.4 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N 3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-Other CWE-79 Vulnerability Consequences: Gain Access References: Source: SGI20060801-01-P 20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1 20060724 Write-up by Amit Klein: "Forging HTTP request headers with Flash" Write-up by Amit Klein: "Forging HTTP request headers with Flash" CVE-2006-3918 Security Response to CVE-2006-3918 http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html SUSE-SA:2008:021 HPSBUX02465 HPSBUX02612 SSRT090208 [3.9] 012: SECURITY FIX: October 7, 2006 apache security update RHSA-2006:0618 httpd security update apache security update for Stronghold RHSA-2006:0692 Low: Red Hat Network Proxy Server security update Moderate: Red Hat Certificate System 7.3 security update Apache "Expect" Header Cross-Site Scripting Vulnerability 21172 IBM HTTP Server "Expect" Header Cross-Site Scripting 21174 21399 IBM HTTP Server Two Vulnerabilities 21478 21598 21744 21848 Avaya Products Apache "Expect" Header Cross-Site Scripting 21986 22140 22317 IBM HMC Apache2 / OpenSSL Vulnerabilities 22523 28749 29640 F-Secure Policy Manager Expect Header Cross-Site Scripting 40256 1294 IBM HTTP Server (IHS) Lack of Input Validation in Expect Header May Permit Cross-Site Scripting Attacks 1016569 F-Secure Policy Manager Input Validation Bug Permits Cross-Site Scripting Attacks Via the Expect Header http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm httpd security update (RHSA-2006-0619) apache security update (RHSA-2006-0618) Revision 394965 http://svn.apache.org/viewvc?view=rev&revision=394965 PK24631 PK24631: HTTP EXPECT HEADER VALUE CAN BE ECHOED TO BROWSER UNESCAPED PK27875 DSA-1167 apache -- missing input sanitising Expect-header sanitation vulnerability http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html SUSE-SA:2006:051 F-Secure Policy Manager Expect: Header XSS RHSA-2006:0619 19661 Apache HTTP Server Arbitrary HTTP Request Headers Security Weakness 1024144 Cross-site scripting vulnerability Apache vulnerabilities USN-575-1 ADV-2006-2963 ADV-2006-2964 ADV-2006-3264 ADV-2006-4207 ADV-2006-5089 ADV-2010-1572 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117 httpserver-expect-header-xss(28620) [httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20210603 svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20210330 svn commit: r1888194 [4/13] - /httpd/site/trunk/content/security/json/ [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ [httpd-cvs] 20210330 svn commit: r1073149 [5/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ [httpd-cvs] 20210606 svn commit: r1075467 [1/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20210330 svn commit: r1073139 [4/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ [httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ oval:org.mitre.oval:def:10352 oval:org.mitre.oval:def:12238 Offensive Security Exploit Database [06-13-2011] Apache2 SSLVerifyClient problems Apache security problems Support for HMC Vulnerable Configuration: Configuration 1 :cpe:/a:apache:http_server:1.3.18:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.19:*:*:*:*:*:*:* OR cpe:/a:ibm:http_server:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:http_server:6.1:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.12:*:win32:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.17:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.2:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.2.1:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.11:*:win32:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.12:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.0:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.0.57:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.1:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.20:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.22:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:http_server:1.3:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.1:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.19:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.0:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.12:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.20:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.17:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.11:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.22:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:1.3.18:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.0.57:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.2:*:*:*:*:*:*:* OR cpe:/a:apache:http_server:2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:http_server:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:http_server:6.1:*:*:*:*:*:*:* OR cpe:/a:redhat:certificate_system:7.3:*:*:*:*:*:*:* AND cpe:/a:redhat:stronghold:-:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:* OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:* OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:* OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:* OR cpe:/o:suse:suse_linux:10.0::oss:*:*:*:*:* OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:* OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:* OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:*:*:personal:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:*:*:home:*:*:*:*:* OR cpe:/o:turbolinux:turbolinux:*:*:multimedia:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:* OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:* OR cpe:/a:vmware:esx_server:2.5.5:*:*:*:*:*:*:* OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:* OR cpe:/a:redhat:network_proxy:4.2:*:*:*:*:*:*:* OR cpe:/o:vmware:esx:2.0:build_5257:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:* OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:* OR cpe:/a:vmware:esx_server:3.0.3:*:*:*:*:*:*:* Oval Definitions Definition ID Class Title Last Modified oval:org.opensuse.security:def:20063918 V CVE-2006-3918 2015-11-16 oval:org.mitre.oval:def:12238 V HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS) 2015-04-20 oval:org.mitre.oval:def:17648 P USN-575-1 -- apache2 vulnerabilities 2014-06-30 oval:org.mitre.oval:def:10352 V http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. 2013-04-29 oval:org.debian:def:1167 V missing input sanitising 2006-09-04 oval:com.redhat.rhsa:def:20060619 P RHSA-2006:0619: httpd security update (Moderate) 2006-08-10
BACK
apache http server 1.3.18
apache http server 1.3.19
ibm http server 6.0
ibm http server 6.1
apache http server 1.3.12
apache http server 1.3.17
apache http server 2.2
apache http server 2.2.1
apache http server 1.3.11
apache http server 1.3.12
apache http server 2.0
apache http server 2.0.57
apache http server 1.3.1
apache http server 1.3.20
apache http server 1.3
apache http server 1.3.22
apache http server 1.3
apache http server 1.3.1
apache http server 1.3.19
apache http server 2.0
apache http server 1.3.12
apache http server 1.3.20
apache http server 1.3.17
apache http server 1.3.11
apache http server 1.3.22
apache http server 1.3.18
apache http server 2.0.57
apache http server 2.2
apache http server 2.2.1
ibm http server 6.0
ibm http server 6.1
redhat certificate system 7.3
redhat stronghold -
redhat enterprise linux 2.1
redhat enterprise linux 2.1
redhat enterprise linux 2.1
suse suse linux 9.0
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
redhat enterprise linux 3
suse suse linux 9.2
redhat enterprise linux 4
redhat enterprise linux 4
novell linux desktop 9
redhat enterprise linux 4
redhat enterprise linux 4
debian debian linux 3.1
novell open enterprise server *
suse suse linux 10.0
redhat linux advanced workstation 2.1
canonical ubuntu 6.06
novell suse linux enterprise server 10 sp2
turbolinux turbolinux fuji
turbolinux turbolinux personal *
turbolinux turbolinux home *
turbolinux turbolinux multimedia *
canonical ubuntu 7.04
canonical ubuntu 7.10
vmware esx server 2.5.5
novell open enterprise server *
redhat network proxy 4.2
vmware esx server 2.0_build_5257
novell opensuse 10.2
novell opensuse 10.3
suse suse linux 9.3
vmware esx server 3.0.3
Denotes that component is vulnerable