SOL6669 - Apache HTTP Expect header handling

The vulnerability exists in the Apache web server, which is used by FirePass. Apache will not sanitize the contents of the HTTP Expect header when receiving an HTTP request. Instead, the contents of the Expect header will be returned in a successful HTTP response. This permits executable code such as JavaScript that is inserted into the HTTP Expect header to be executed by the browser in the security context of the web site whose page was returned. A cross-site scripting attack may be permitted as a result, which can disclose sensitive information or perform other malicious actions.

This vulnerability is difficult to exploit because insertion of code into an HTTP header would generally require an attacker to have exploited another, more serious vulnerability in the browser. It is not sufficient to create a hyperlink with exploit code embedded in the URL parameters, as is the case with the standard cross-site scripting technique. Although ActiveX and the ActionScript language available in Adobe/Macromedia Flash have the capability to craft HTTP requests, including headers and proof-of-concepts, the constraint of having to first download a malicious ActiveX control or Flash file makes this vulnerability unlikely to be exploited.

Information about this advisory is available at the following locations:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918&gt;

<http://httpd.apache.org/security/vulnerabilities_13.html&gt;

<http://seclists.org/bugtraq/2006/May/0440.html&gt;

<http://www.securityfocus.com/archive/1/441014/30/0/&gt;

F5 Product Development tracked this issue as CR47467 for BIG-IP, and it was fixed in BIG-IP 9.4.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller, or WebAccelerator release notes.

F5 Product Development tracked this issue as CR67295 for FirePass, and it was fixed in 5.5.2 and 6.0.1. For information about upgrading, refer to the FirePass release notes.

Additionally, this issue was fixed in cumulative hotfix 600-3 for FirePass software. You may download this hotfix or later versions of the cumulative hotfix from the F5 Downloads site.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.

For instructions about installing a FirePass hotfix, refer to SOL3430: Installing hotfixes.