svn commit: r427039 - /httpd/httpd/branches/1.3.x/src/CHANGES

[mj...@apache.org]

Author: mjc
Date: Mon Jul 31 01:06:17 2006
New Revision: 427039

URL: http://svn.apache.org/viewvc?rev=427039&view=rev
Log:
The Expect header XSS got a CVE name as it was proved you can influence the
header if a user visits a site holding a malicious flash file.  
IMO this is a flash flaw, but mark as security for future reference, although
only for 1.3.  2.0 and 2.2 both need to timeout before any XSS happens 
reducing the risk.

Modified:
    httpd/httpd/branches/1.3.x/src/CHANGES

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=427039&r1=427038&r2=427039&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Mon Jul 31 01:06:17 2006
@@ -29,10 +29,11 @@
   *) core: Allow usage of the "Include" configuration directive within
      previously "Include"d files. [Colm MacCarthaigh]
 
-  *) HTML-escape the Expect error message.  Not classed as security as
-     an attacker has no way to influence the Expect header a victim will
-     send to a target site.  Reported by Thiago Zaninotti 
-     <thiango nstalker.com>. [Mark Cox]
+  *) SECURITY: CVE-2006-3918 (cve.mitre.org)
+     HTML-escape the Expect error message.  Only a security issue if
+     an attacker can influence the Expect header a victim will send to a 
+     target site (it's known that some versions of Flash can do this)
+     Reported by Thiago Zaninotti <thiango nstalker.com>.  [Mark Cox]
 
   *) mod_cgi: Remove block on OPTIONS method so that scripts can
      respond to OPTIONS directly rather than via server default.