Web Server Expect Header XSS

medium Nessus Plugin ID 22254

Synopsis

The remote web server is vulnerable to a cross-site scripting attack.

Description

The remote web server fails to sanitize the contents of an 'Expect' request header before using it to generate dynamic web content. An unauthenticated, remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially crafted ShockWave (SWF) files.

Solution

Check with the vendor for an update to the web server. For Apache, the issue is reportedly fixed by versions 1.3.35 / 2.0.57 / 2.2.2; for IBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1; for IBM WebSphere Application Server, upgrade to 5.1.1.17.

See Also

https://seclists.org/bugtraq/2006/May/150

https://seclists.org/bugtraq/2006/May/440

https://seclists.org/bugtraq/2006/Jul/423

http://www.apache.org/dist/httpd/CHANGES_2.2

http://www.apache.org/dist/httpd/CHANGES_2.0

http://www.apache.org/dist/httpd/CHANGES_1.3

http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631

http://www-1.ibm.com/support/docview.wss?uid=swg24017314

Plugin Details

Severity: Medium

ID: 22254

File Name: www_expect_xss.nasl

Version: 1.32

Type: remote

Published: 8/23/2006

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2006-3918

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Exploit Ease: No exploit is required

Exploited by Nessus: true

Vulnerability Publication Date: 5/8/2006

Reference Information

CVE: CVE-2006-3918, CVE-2007-5944

BID: 19661, 26457

CWE: 79