CVE-2007-6203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6203): Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
Apache herd, please advise.
This has no security impact. How do you trick user into sending garbage before actual request method name?
According to the advisory, flash movies can generate such requests: From http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html : var req:LoadVars=new LoadVars(); req.addRequestHeader("Foo","Bar"); req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2", "_blank","GET"); So if tricking a user to load a malicious flash movie, an attacker could redirect a user to a defaced URL on a remote server.
If I understend correctly, you'd have to control the "GET" part of this: > req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2", > "_blank","GET"); I am not able to check if it is possible, but the advisory sounds like it isn't: > The reason why we didn't consider this vulnerability a security risk is > because the attacker needs to force the victim's browser to submit a malformed > HTTP method. ... > However, in this case we need to spoof the HTTP METHOD to a specially-crafted > value.
fixed in 2.2.6-r6, but please dot stabilize this version now, since it is the first unmasked USE_EXPAND version of apache and still needs some testing. i don't think this is a problem since the vuln is not even acknowledged upstream but fixed in their svn branch anyway.
2.2.6-r7 is ready for stabilization, see #204838
this one is ready
time for glsa decision. I'll vote YES just because of the crash issue (bug #204410)
Voting YES and filing.
GLSA 200803-19
