The Expect header XSS got a CVE name as it was proved you can influence the

header if a user visits a site holding a malicious flash file.
IMO this is a flash flaw, but mark as security for future reference, although
only for 1.3.  2.0 and 2.2 both need to timeout before any XSS happens
reducing the risk.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@427039 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/CHANGES b/src/CHANGES
index 8339caeea3244c3ef608c6479fa1aeb1f277da39..3358272ff5d1df20b72c7f4f6a78908e06481656 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -29,10 +29,11 @@ Changes with Apache 1.3.35
   *) core: Allow usage of the "Include" configuration directive within
      previously "Include"d files. [Colm MacCarthaigh]
 
-  *) HTML-escape the Expect error message.  Not classed as security as
-     an attacker has no way to influence the Expect header a victim will
-     send to a target site.  Reported by Thiago Zaninotti 
-     <thiango nstalker.com>. [Mark Cox]
+  *) SECURITY: CVE-2006-3918 (cve.mitre.org)
+     HTML-escape the Expect error message.  Only a security issue if
+     an attacker can influence the Expect header a victim will send to a 
+     target site (it's known that some versions of Flash can do this)
+     Reported by Thiago Zaninotti <thiango nstalker.com>.  [Mark Cox]
 
   *) mod_cgi: Remove block on OPTIONS method so that scripts can
      respond to OPTIONS directly rather than via server default.