On Tue, Jun 22, 2010 at 7:24 AM, John Lee <John.Lee@xxxxxxxxxxxxxxx> wrote: > Dear Apache, > Could you clarify my original enquiry (listed below - previous email) > regarding vulnerability "Expect Header Cross-Site Scripting | > CVE-2006-3918" > > Main question: Is vulnerability "Expect Header Cross-Site Scripting | > CVE-2006-3918" not a security issue regarding apache version 2.0.xx ? > > Any feedback on this issue would be helpful. The underlying defect did affect 2.0 and was fixed, but it was not considered a vulnerability for httpd 2.0 by the Apache HTTP Server project. The reason is given in the CVE-2006-3918 description for 1.3 (http://httpd.apache.org/security/vulnerabilities_13.html): "Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection. " --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|