CVE-2006-3918

http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html	Broken Link Exploit
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html	Broken Link Exploit
http://svn.apache.org/viewvc?view=rev&revision=394965	Exploit Vendor Advisory
http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631	Third Party Advisory
http://secunia.com/advisories/21172	Not Applicable Patch Vendor Advisory
http://secunia.com/advisories/21174	Not Applicable Patch Vendor Advisory
http://securitytracker.com/id?1016569	Broken Link Third Party Advisory VDB Entry
http://www-1.ibm.com/support/docview.wss?uid=swg24013080	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2006-0618.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2006-0619.html	Third Party Advisory
http://secunia.com/advisories/21399	Not Applicable
http://secunia.com/advisories/21478	Not Applicable
http://www.debian.org/security/2006/dsa-1167	Third Party Advisory
ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P	Broken Link
http://secunia.com/advisories/21848	Not Applicable
http://secunia.com/advisories/21598	Not Applicable
http://secunia.com/advisories/21744	Not Applicable
http://www.novell.com/linux/security/advisories/2006_51_apache.html	Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm	Third Party Advisory
http://secunia.com/advisories/21986	Not Applicable
http://rhn.redhat.com/errata/RHSA-2006-0692.html	Third Party Advisory
http://secunia.com/advisories/22140	Not Applicable
http://openbsd.org/errata.html#httpd2	Third Party Advisory
http://www.securityfocus.com/bid/19661	Third Party Advisory VDB Entry
http://secunia.com/advisories/22317	Not Applicable
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117	Broken Link
http://secunia.com/advisories/22523	Not Applicable
http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html	Third Party Advisory
http://securityreason.com/securityalert/1294	Exploit Third Party Advisory
http://www.ubuntu.com/usn/usn-575-1	Third Party Advisory
http://secunia.com/advisories/28749	Not Applicable
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html	Mailing List Third Party Advisory
http://secunia.com/advisories/29640	Not Applicable
http://marc.info/?l=bugtraq&m=125631037611762&w=2	Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=129190899612998&w=2	Issue Tracking Mailing List Third Party Advisory
http://www.vupen.com/english/advisories/2006/2964	Permissions Required
http://www.vupen.com/english/advisories/2006/5089	Permissions Required
http://www.vupen.com/english/advisories/2006/3264	Permissions Required
http://www.vupen.com/english/advisories/2006/2963	Permissions Required
http://www.vupen.com/english/advisories/2006/4207	Permissions Required
http://marc.info/?l=bugtraq&m=130497311408250&w=2	Issue Tracking Mailing List Third Party Advisory
http://www.vupen.com/english/advisories/2010/1572	Permissions Required
http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html	Third Party Advisory
http://www.securitytracker.com/id?1024144	Broken Link Third Party Advisory VDB Entry
http://secunia.com/advisories/40256	Not Applicable
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12238	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10352	Third Party Advisory
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux_server:2.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:::::::*

Information

Published : 2006-07-27 17:04

Updated : 2022-09-21 12:35

NVD link : CVE-2006-3918

Mitre link : CVE-2006-3918

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

redhat

enterprise_linux_workstation
enterprise_linux_server

apache

http_server

canonical

ubuntu_linux

debian

debian_linux

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html", "name": "20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1", "tags": ["Broken Link", "Exploit"], "refsource": "BUGTRAQ"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html", "name": "20060724 Write-up by Amit Klein: \"Forging HTTP request headers with Flash\"", "tags": ["Broken Link", "Exploit"], "refsource": "BUGTRAQ"}, {"url": "http://svn.apache.org/viewvc?view=rev&revision=394965", "name": "http://svn.apache.org/viewvc?view=rev&revision=394965", "tags": ["Exploit", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631", "name": "PK24631", "tags": ["Third Party Advisory"], "refsource": "AIXAPAR"}, {"url": "http://secunia.com/advisories/21172", "name": "21172", "tags": ["Not Applicable", "Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/21174", "name": "21174", "tags": ["Not Applicable", "Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://securitytracker.com/id?1016569", "name": "1016569", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg24013080", "name": "PK27875", "tags": ["Third Party Advisory"], "refsource": "AIXAPAR"}, {"url": "http://rhn.redhat.com/errata/RHSA-2006-0618.html", "name": "RHSA-2006:0618", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "http://www.redhat.com/support/errata/RHSA-2006-0619.html", "name": "RHSA-2006:0619", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/21399", "name": "21399", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/21478", "name": "21478", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://www.debian.org/security/2006/dsa-1167", "name": "DSA-1167", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}, {"url": "ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P", "name": "20060801-01-P", "tags": ["Broken Link"], "refsource": "SGI"}, {"url": "http://secunia.com/advisories/21848", "name": "21848", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/21598", "name": "21598", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/21744", "name": "21744", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://www.novell.com/linux/security/advisories/2006_51_apache.html", "name": "SUSE-SA:2006:051", "tags": ["Third Party Advisory"], "refsource": "SUSE"}, {"url": "http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm", "name": "http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/21986", "name": "21986", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2006-0692.html", "name": "RHSA-2006:0692", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/22140", "name": "22140", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://openbsd.org/errata.html#httpd2", "name": "[3.9] 012: SECURITY FIX: October 7, 2006", "tags": ["Third Party Advisory"], "refsource": "OPENBSD"}, {"url": "http://www.securityfocus.com/bid/19661", "name": "19661", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/22317", "name": "22317", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117", "name": "http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117", "tags": ["Broken Link"], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/22523", "name": "22523", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html", "name": "http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://securityreason.com/securityalert/1294", "name": "1294", "tags": ["Exploit", "Third Party Advisory"], "refsource": "SREASON"}, {"url": "http://www.ubuntu.com/usn/usn-575-1", "name": "USN-575-1", "tags": ["Third Party Advisory"], "refsource": "UBUNTU"}, {"url": "http://secunia.com/advisories/28749", "name": "28749", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html", "name": "SUSE-SA:2008:021", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "SUSE"}, {"url": "http://secunia.com/advisories/29640", "name": "29640", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "http://marc.info/?l=bugtraq&m=125631037611762&w=2", "name": "HPSBUX02465", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "refsource": "HP"}, {"url": "http://marc.info/?l=bugtraq&m=129190899612998&w=2", "name": "HPSBUX02612", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "refsource": "HP"}, {"url": "http://www.vupen.com/english/advisories/2006/2964", "name": "ADV-2006-2964", "tags": ["Permissions Required"], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/5089", "name": "ADV-2006-5089", "tags": ["Permissions Required"], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/3264", "name": "ADV-2006-3264", "tags": ["Permissions Required"], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/2963", "name": "ADV-2006-2963", "tags": ["Permissions Required"], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2006/4207", "name": "ADV-2006-4207", "tags": ["Permissions Required"], "refsource": "VUPEN"}, {"url": "http://marc.info/?l=bugtraq&m=130497311408250&w=2", "name": "SSRT090208", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "refsource": "HP"}, {"url": "http://www.vupen.com/english/advisories/2010/1572", "name": "ADV-2010-1572", "tags": ["Permissions Required"], "refsource": "VUPEN"}, {"url": "http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html", "name": "http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securitytracker.com/id?1024144", "name": "1024144", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}, {"url": "http://secunia.com/advisories/40256", "name": "40256", "tags": ["Not Applicable"], "refsource": "SECUNIA"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12238", "name": "oval:org.mitre.oval:def:12238", "tags": ["Third Party Advisory"], "refsource": "OVAL"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10352", "name": "oval:org.mitre.oval:def:10352", "tags": ["Third Party Advisory"], "refsource": "OVAL"}, {"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210330 svn commit: r1073149 [5/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210330 svn commit: r1888194 [4/13] - /httpd/site/trunk/content/security/json/", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210330 svn commit: r1073139 [4/13] - in /websites/staging/httpd/trunk/content: ./ security/json/", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210603 svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210606 svn commit: r1075467 [1/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E", "name": "[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2006-3918", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2006-07-28T00:04Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.3.35", "versionStartIncluding": "1.3.3"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server:2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_workstation:2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-09-21T19:35Z"}

4.3 /10