Commit 5c415a50 authored by Mark J. Cox's avatar Mark J. Cox
Browse files

The Expect header XSS got a CVE name as it was proved you can influence the 

header if a user visits a site holding a malicious flash file.  
IMO this is a flash flaw, but mark as security for future reference, although
only for 1.3.  2.0 and 2.2 both need to timeout before any XSS happens 
reducing the risk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@427039 13f79535-47bb-0310-9956-ffa450edef68
parent 9f70eac8

src/CHANGES

+5 −4
Original line number Diff line number Diff line
@@ -29,10 +29,11 @@ Changes with Apache 1.3.35 
  *) core: Allow usage of the "Include" configuration directive within

     previously "Include"d files. [Colm MacCarthaigh]



  *) HTML-escape the Expect error message.  Not classed as security as

     an attacker has no way to influence the Expect header a victim will

     send to a target site.  Reported by Thiago Zaninotti 

     <thiango nstalker.com>. [Mark Cox]

  *) SECURITY: CVE-2006-3918 (cve.mitre.org)

     HTML-escape the Expect error message.  Only a security issue if

     an attacker can influence the Expect header a victim will send to a 

     target site (it's known that some versions of Flash can do this)

     Reported by Thiago Zaninotti <thiango nstalker.com>.  [Mark Cox]



  *) mod_cgi: Remove block on OPTIONS method so that scripts can

     respond to OPTIONS directly rather than via server default.