Apache and IBM HTTP Server Expect header cross-site scripting (HTTP_Apache_Expect_XSS)

About this signature or vulnerability

Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Servers (Unix):

This signature detects a specially-crafted Expect header that could be used to embed a malicious script and be executed in the victim's Web browser.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IDS: XPU 24.49, Proventia-G 1.1 and earlier: XPU 24.49, Proventia Network MFS: XPU 1.88, Proventia Network IPS: XPU 1.88, IBM Security Host Protection for Desktops: 1890, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.88, IBM Security Host Protection for Servers (Windows): 1.0.914.1890, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, RealSecure Server Sensor: XPU 24.49, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Apache HTTP Server: 1.3, Apache HTTP Server: 1.3.1, Apache HTTP Server: 1.3.19, Apache HTTP Server: 2.0, RedHat Stronghold, Apache HTTP Server: 1.3.12, Apache HTTP Server: 1.3.20, Apache HTTP Server: 1.3.17, Apache HTTP Server: 1.3.11, Turbolinux Turbolinux: 8 Server, Turbolinux Turbolinux: 7 Server, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, SUSE SuSE Linux: 9.0, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, Turbolinux Turbolinux: 10 Desktop, RedHat Enterprise Linux: 3 Desktop, SuSE SuSE SLES: 9, SUSE SuSE Linux: 9.2, Turbolinux Turbolinux: 10 Server, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Debian Debian Linux: 3.1, Novell Open Enterprise: Server, SUSE SuSE Linux: 10.0, RedHat Linux Advanced Workstation: 2.1 Itanium, Canonical Ubuntu: 6.06 LTS, VMware ESX Server: 2.5.1, Novell SLE SDK: 10, Novell SUSE Linux Enterprise Server: 10, Canonical Ubuntu: 6.10, VMware ESX Server: 3.0.0, Novell Linux POS: 9, Turbolinux Turbolinux: FUJI, Turbolinux Turbolinux: Personal, Turbolinux Turbolinux: Home, Turbolinux Turbolinux: Multimedia, Turbolinux Turbolinux: 10 F..., Turbolinux Turbolinux Appliance Server: 2.0, Turbolinux Turbolinux: 10 Server x64 Ed, Turbolinux Turbolinux Appliance Server: 1.0 Hosting Ed, Turbolinux Turbolinux Appliance Server: 1.0 Workgroup Ed, VMware ESX Server: 3.0.1, Canonical Ubuntu: 7.04, Novell SUSE Linux Enterprise Server: 10 SP1, Novell SUSE Linux Enterprise Desktop: 10 SP1, Novell SLE SDK: 10 SP1, Canonical Ubuntu: 7.10, Novell Linux Desktop: 9 SDK, Apache HTTP Server: 1.3.22, VMware ESX Server: 3.0.2, VMware ESX Server: 2.5.5, VMware ESX Server: 2.5.4, Apache HTTP Server: 1.3.18, Apache HTTP Server: 2.0.57, Apache HTTP Server: 2.2, Apache HTTP Server: 2.2.1, IBM HTTP Server: 6.0, IBM HTTP Server: 6.1, Novell Open Enterprise Server, RedHat Certificate System: 7.3, RedHat Network Proxy: 4.2, VMware ESX Server: 2.0, VMware ESX Server: 2.0.1, VMware ESX Server: 2.0.2, VMware ESX Server: 2.1, VMware ESX Server: 2.1.1, VMware ESX Server: 2.1.2, VMware ESX Server: 2.1.3, VMware ESX Server: 2.5, VMware ESX Server: 2.5.2, VMware ESX Server: 2.5.3, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, SUSE SuSE Linux: 9.3, VMware ESX Server: 3.0.3, RedHat Network Proxy: 4.2 RHEL 4, F-Secure Policy Manager: 8.0

Type

Suspicious Activity

Vulnerability description

An HTTP request containing embedded <script> tags has been detected, which may indicate a cross-site scripting attempt against a Web server or Web application.

How to remove this vulnerability

This check is for informational purposes only.

Ensure that your personal firewall, operating system, and applications are up-to-date in order to minimize the threat of a system compromise.

References

IBM Support & downloads
PK27875; 1.3.28.1: IBM HTTP Server 1.3.26 and 1.3.28 cumulative e-fix
http://www-1.ibm.com/support/docview.wss?uid=swg24013080

RHSA-2006:0619-9
httpd security update
http://rhn.redhat.com/errata/RHSA-2006-0619.html

SecurityTracker Alert ID: 1016569
IBM HTTP Server (IHS) Lack of Input Validation in Expect Header May Permit Cross-Site Scripting Attacks
http://securitytracker.com/alerts/2006/Jul/1016569.html

Apache-SVN
Revision 394965
http://svn.apache.org/viewvc?view=rev&revision=394965

IBM Support & downloads
PK24631: HTTP EXPECT HEADER VALUE CAN BE ECHOED TO BROWSER UNESCAPED
http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631

BugTraq Mailing List, Mon May 08 2006 - 14:01:27 CDT
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html

BugTraq Mailing List, Mon Jul 24 2006 - 14:28:59 CDT
Write-up by Amit Klein: "Forging HTTP request headers with Flash"
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html

FrSIRT/ADV-2006-2963
Apache HTTPd "Expect" Header Handling Client-Side Cross Site Scripting Vulnerability
http://www.frsirt.com/english/advisories/2006/2963

FrSIRT/ADV-2006-2964
IBM HTTP Server "Expect" Header Handling Client-Side Cross Site Scripting Vulnerability
http://www.frsirt.com/english/advisories/2006/2964

DSA-1167-1
DSA-1167-1 apache -- missing input sanitising
http://www.debian.org/security/2006/dsa-1167

VMware Security Response
Security Response to CVE-2006-3918
http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html

SUSE-SA:2006:051
apache2
http://www.novell.com/linux/security/advisories/2006_51_apache.html

IBM Systems Support Web site
Support for HMC
https://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v61.Readme.html#MH01110

FSC-2010-2
Expect-header sanitation vulnerability
http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html

Offensive Security Exploit Database [06-13-2011]
Oracle HTTP Server XSS Header Injection
http://www.exploit-db.com/exploits/17393/

ISS X-Force
Apache and IBM HTTP Server Expect header cross-site scripting
http://www.iss.net/security_center/static/28620.php

CVE
CVE-2006-3918
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918