You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/07/31 10:06:18 UTC
svn commit: r427039 - /httpd/httpd/branches/1.3.x/src/CHANGES
Author: mjc
Date: Mon Jul 31 01:06:17 2006
New Revision: 427039
URL: http://svn.apache.org/viewvc?rev=427039&view=rev
Log:
The Expect header XSS got a CVE name as it was proved you can influence the
header if a user visits a site holding a malicious flash file.
IMO this is a flash flaw, but mark as security for future reference, although
only for 1.3. 2.0 and 2.2 both need to timeout before any XSS happens
reducing the risk.
Modified:
httpd/httpd/branches/1.3.x/src/CHANGES
Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=427039&r1=427038&r2=427039&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Mon Jul 31 01:06:17 2006
@@ -29,10 +29,11 @@
*) core: Allow usage of the "Include" configuration directive within
previously "Include"d files. [Colm MacCarthaigh]
- *) HTML-escape the Expect error message. Not classed as security as
- an attacker has no way to influence the Expect header a victim will
- send to a target site. Reported by Thiago Zaninotti
- <thiango nstalker.com>. [Mark Cox]
+ *) SECURITY: CVE-2006-3918 (cve.mitre.org)
+ HTML-escape the Expect error message. Only a security issue if
+ an attacker can influence the Expect header a victim will send to a
+ target site (it's known that some versions of Flash can do this)
+ Reported by Thiago Zaninotti <thiango nstalker.com>. [Mark Cox]
*) mod_cgi: Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.