From: Mark J. Cox Date: Mon, 31 Jul 2006 08:06:17 +0000 (+0000) Subject: The Expect header XSS got a CVE name as it was proved you can influence the X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43a113f1595d4d351566194be7b712011289d1ac;p=thirdparty%2Fapache%2Fhttpd.git The Expect header XSS got a CVE name as it was proved you can influence the header if a user visits a site holding a malicious flash file. IMO this is a flash flaw, but mark as security for future reference, although only for 1.3. 2.0 and 2.2 both need to timeout before any XSS happens reducing the risk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@427039 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index 8339caeea32..3358272ff5d 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -29,10 +29,11 @@ Changes with Apache 1.3.35 *) core: Allow usage of the "Include" configuration directive within previously "Include"d files. [Colm MacCarthaigh] - *) HTML-escape the Expect error message. Not classed as security as - an attacker has no way to influence the Expect header a victim will - send to a target site. Reported by Thiago Zaninotti - . [Mark Cox] + *) SECURITY: CVE-2006-3918 (cve.mitre.org) + HTML-escape the Expect error message. Only a security issue if + an attacker can influence the Expect header a victim will send to a + target site (it's known that some versions of Flash can do this) + Reported by Thiago Zaninotti . [Mark Cox] *) mod_cgi: Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default.