Red Hat Bugzilla – Bug 409831
CVE-2007-6203 httpd: Garbage before http method name is not escaped in a reply in case of errorneous request
Last modified: 2011-09-19 17:13:09 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6203 to the following vulnerability:
Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
User can not control the part of the HTTP request before the method name and
thus can not be tricked into including malicious code there.
Is this should be backported?
Red Hat does not consider this issue to be a vulnerability. In order to exploit
this for cross-site scripting, the attacker would have to force the victims
browser to supply an arbitrary malformed HTTP method to a target site, and that
is not possible with current browsers or plugins.
As described in the comment #5, this issue is not considered to be a security vulnerability. However, due to the customer requests, problem was addressed as a regular bug in the following update for the httpd package in Red Hat Enterprise Linux 4 (released with 4.7):
* the request method is escaped in the built-in HTTP error responses.
The fix is also planned to be released in the httpd bug fix errata included in Red Hat Enterprise Linux 5.3.
(In reply to comment #6)
> The fix is also planned to be released in the httpd bug fix errata included in
> Red Hat Enterprise Linux 5.3.
Included now also in httpd packages for Red Hat Enterprise Linux 5 as of:
Patch name in SRPM: httpd-2.0.52-escaperrs.patch
Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site. However, this has been fixed in Red Hat Enterprise Linux 5 via RHBA-2009:0185 as a bug fix.