IBM Support

PK57952: INPUT METHOD NOT ESCAPED IN DEFAULT 413 ERROR RESPONSE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The default error response for HTTP status 413 echoes the
    input HTTP method, such as POST or PUT, in the response without
    HTML-escaping it.  Theoretical client software defects could
    be used with this incorrect response to create a cross-site
    scripting vulnerability. (No such defects have been identified.)
    Although this defect is not a web server vulnerability, the
    issue is being tracked by CVE-2007-6203 because, when the
    problem was first found, it was thought that this web server
    defect was directly exploitable.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All                                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: invalid data from client echoed in      *
    * error responses; potential client software defects, in       *
    * combination with these error reponses, could be used in a    *
    * cross-site scripting attack                                  *
    ****************************************************************
    * RECOMMENDATION: This fix is recommended as a preventative    *
    * measure for all customers.                                   *
    ****************************************************************
    Error responses for HTTP errors 405, 411, and 417 echoed the
    input HTTP method in the error response unescaped.  User input
    should be HTML-escaped in server-generated responses to avoid
    potential cross-site scripting attacks.
    Note that there is no known way for an attacker to control
    the input HTTP method sent from the client in order to exploit
    these error responses.
    

Problem conclusion

  • When generating the error responses for errors 405, 411, and
    417, the input HTTP method is HTML-escaped when included in
    the error response, in order to prevent potential cross-site
    scripting vulnerabilities with clients that can be forced to
    send requests with arbitrary HTTP methods.
    .
    This fix is targeted for fix packs
      6.1.0.15
      6.0.2.27
    and cumulative fix PK65782 for IBM HTTP Server 2.0.47
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK57952

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    60A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2007-12-10

  • Closed date

    2007-12-20

  • Last modified date

    2008-05-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  •    HTTPD
    

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60A PSN

       UP

  • R60H PSN

       UP

  • R60P PSN

       UP

  • R60I PSN

       UP

  • R60S PSN

       UP

  • R60W PSN

       UP

  • R60Z PSN

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

  • R61P PSN

       UP

  • R61I PSN

       UP

  • R61W PSN

       UP

  • R61Z PSN

       UP



Document information

More support for: IBM HTTP Server
Runtime

Software version: 6.0

Reference #: PK57952

Modified date: 23 May 2008


Translate this page: