A fix is available
APAR status
Closed as program error.
Error description
When IBM HTTP Server receives an unsupported Expect header field it will reply to the client with a 417 status code and an error document which includes the Expect value received from the client. When the input Expect value is included in the error document, it should be HTML-escaped to prevent any processing of that value by the web client. The problem addressed by this APAR is that the Expect value is not escaped.
Local fix
Problem summary
In the handling of the invalid Expect header, an error document was sent to the client which contained the invalid value. When such information from the client is echoed back, it must be HTML-escaped to prevent any processing by the browser. However, the invalid Expect header was not escaped. This is the general type of defect which can lead to a Cross Site Scripting vulnerability. APAR update based on information received later: An exploit has been described which uses a web browser plug-in and the web server defect described by this APAR. Based on this description and other behaviors of Apache 1.3.x, the Apache HTTP Server group considers the fix in Apache 1.3.x a security fix, with id CVE-2006-3918. This applies to IBM HTTP Server 1.3.x as well.
Problem conclusion
When building the error document and informing the client of the Expect value which could not be processed, that value is now HTML-escaped. Fix availability: 6.1: 6.1.0.2 or later 6.0: 6.0.2.13 or later 2.0: PK25355 or later 1.3: PK27875 or later
Temporary fix
Comments
APAR Information
APAR number
PK24631
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2006-05-09
Closed date
2006-06-05
Last modified date
2006-08-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60W PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61S PSN
UP
R61W PSN
UP
R61Z PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 September 2022