Apache Httpd < 1.3.35: Expect header Cross-Site Scripting

ID HTTPD:21276F7B71358FCD8ED42705121EF5F3
Type httpd
Reporter Apache Team Foundation
Modified 2006-05-01T00:00:00


A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.