CVE-2006-3918

Name of the Vulnerable Software and Affected Versions IBM HTTP Server versions 6.0 through 6.0.2.13 IBM HTTP Server versions 6.1 through 6.1.0.1 Apache HTTP Server versions 1.3 through 1.3.35 Apache HTTP Server versions 2.0 through 2.0.58 Apache HTTP Server versions 2.2 through 2.2.2

Description The issue arises from the failure to sanitize the Expect header in HTTP requests when it is reflected back in an error message. This could allow cross-site scripting style attacks using web client components that can send arbitrary headers in requests. For instance, a Flash SWF file can be used to demonstrate this vulnerability. An attacker could exploit this flaw by influencing the Expect header that a victim sends to a target site, potentially leading to a cross-site scripting attack.

Recommendations For IBM HTTP Server versions 6.0 through 6.0.2.13, update to version 6.0.2.13 or later. For IBM HTTP Server versions 6.1 through 6.1.0.1, update to version 6.1.0.1 or later. For Apache HTTP Server versions 1.3 through 1.3.35, update to version 1.3.35 or later. For Apache HTTP Server versions 2.0 through 2.0.58, update to version 2.0.58 or later. For Apache HTTP Server versions 2.2 through 2.2.2, update to version 2.2.2 or later. As a temporary workaround, consider restricting access to the Expect header to minimize the risk of exploitation.