IBM Support

PK24631: HTTP EXPECT HEADER VALUE CAN BE ECHOED TO BROWSER UNESCAPED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When IBM HTTP Server receives an unsupported Expect header field
    it will reply to the client with a 417 status code and an error
    document which includes the Expect value received from the
    client.
    When the input Expect value is included in the error document,
    it should be HTML-escaped to prevent any processing of that
    value by the web client.  The problem addressed by this APAR is
    that the Expect value is not escaped.
    

Local fix

Problem summary

  • In the handling of the invalid Expect header,
    an error document was sent to the client which contained the
    invalid value.  When such information from the client is
    echoed back, it must be HTML-escaped to prevent any
    processing by the browser.  However, the invalid Expect header
    was not escaped.  This is the general type of defect which can
    lead to a Cross Site Scripting vulnerability.
    APAR update based on information received later:
    An exploit has been described which uses a web browser plug-in
    and the web server defect described by this APAR.  Based on this
    description and other behaviors of Apache 1.3.x, the Apache HTTP
    Server group considers the fix in Apache 1.3.x a security fix,
    with id CVE-2006-3918.  This applies to IBM HTTP Server 1.3.x
    as well.
    

Problem conclusion

  • When building the error document and
    informing the client of the Expect value which could not be
    processed, that value is now HTML-escaped.
    Fix availability:
    6.1: 6.1.0.2 or later
    6.0: 6.0.2.13 or later
    2.0: PK25355 or later
    1.3: PK27875 or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK24631

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    60A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2006-05-09

  • Closed date

    2006-06-05

  • Last modified date

    2006-08-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60A PSN

       UP

  • R60H PSN

       UP

  • R60P PSN

       UP

  • R60I PSN

       UP

  • R60S PSN

       UP

  • R60W PSN

       UP

  • R60Z PSN

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

  • R61P PSN

       UP

  • R61I PSN

       UP

  • R61S PSN

       UP

  • R61W PSN

       UP

  • R61Z PSN

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022