Skip to main content


PK24631: HTTP EXPECT HEADER VALUE CAN BE ECHOED TO BROWSER UNESCAPED

A fix is available

PK65782; 2.0.47.1: IBM HTTP Server V2.0.47 Cumulative Interim Fix

 

APAR status

  • Closed as program error.

Error description

  • When IBM HTTP Server receives an unsupported Expect header field
it will reply to the client with a 417 status code and an error
document which includes the Expect value received from the
client.
When the input Expect value is included in the error document,
it should be HTML-escaped to prevent any processing of that
value by the web client.  The problem addressed by this APAR is
that the Expect value is not escaped.

Local fix

  • 



Problem summary


    

  • In the handling of the invalid Expect header,
an error document was sent to the client which contained the
invalid value.  When such information from the client is
echoed back, it must be HTML-escaped to prevent any
processing by the browser.  However, the invalid Expect header
was not escaped.  This is the general type of defect which can
lead to a Cross Site Scripting vulnerability.
APAR update based on information received later:
An exploit has been described which uses a web browser plug-in
and the web server defect described by this APAR.  Based on this
description and other behaviors of Apache 1.3.x, the Apache HTTP
Server group considers the fix in Apache 1.3.x a security fix,
with id CVE-2006-3918.  This applies to IBM HTTP Server 1.3.x
as well.

    



Problem conclusion


    

  • When building the error document and
informing the client of the Expect value which could not be
processed, that value is now HTML-escaped.
Fix availability:
6.1: 6.1.0.2 or later
6.0: 6.0.2.13 or later
2.0: PK25355 or later
1.3: PK27875 or later

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK24631
    • 

  • Reported component name
    IBM HTTP SERVER
    • 

  • Reported component ID
    5724J0801
    • 

  • Reported release
    60A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2006-05-09
    • 

  • Closed date
    2006-06-05
    • 

  • Last modified date
    2006-08-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    

  • R60A  PSN
       UP
    • 

  • R60H  PSN
       UP
    • 

  • R60P  PSN
       UP
    • 

  • R60I  PSN
       UP
    • 

  • R60S  PSN
       UP
    • 

  • R60W  PSN
       UP
    • 

  • R60Z  PSN
       UP
    • 

  • R61A  PSN
       UP
    • 

  • R61H  PSN
       UP
    • 

  • R61P  PSN
       UP
    • 

  • R61I  PSN
       UP
    • 

  • R61S  PSN
       UP
    • 

  • R61W  PSN
       UP
    • 

  • R61Z  PSN
       UP
    • 








		


		
Copyright and trademark information

		

			
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

		

		


		

		
Rate this page

		

			
Please take a moment to complete this form to help us better serve you.

		

		
		

		
		
		
		
		
		
		

		

			
This material provides me with the information I need.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		
		

		

			
This material is clear and easy to understand.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		

		

		

			
Did the information help you to achieve your goal?

		

		

		

			
			
			
		

		

		


		

		

			
What updates, improvements, or related information would you like to see in this document?

		

		

			

		

		


		

			
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

		

		

			
Input the verification number to submit feedback:

		

		

			


		

		

		

			

		

		

		


		

		
		





Close [x]









   



Maintenance Window
 








     

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 2 hours due to planned maintenance. This will take place between Saturday December 5, 2009 9:00 PM ET and Sunday, December 6, 2009 4:30 AM ET. During the maintenance, you will not be able to search or download from these pages.
    • 






   
















Close [x]









   



Unscheduled Maintenance Window









There is no unscheduled maintenance scheduled at this time.





   










		

			


			

				





		

		
		


		
Document information

		

			
Product categories:

		
		
Software
Application Servers
Distributed Application & Web Servers
IBM HTTP Server
Runtime

		
		

		
			
Software version:

			
60A

			

		

		

		
			
Reference #:

			

		PK24631
			

			

		

			
IBM Group:

			
Software Group

			

			
Modified date:

			
2006-08-03

		

		


		
Translate my page

		

			

			

			
			

			
			
			
			

		

		


		
Rate this page

		

			
		

		


		

		
			
Availability Notices