Apache Httpd < None: Expect header Cross-Site Scripting

ID HTTPD:7FD1B79F0D1704151C70AE49C5A4F4BD
Type httpd
Reporter Apache Team Foundation
Modified 2006-05-08T00:00:00


A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.