httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: CVE-2007-6203
Date Mon, 17 Dec 2007 21:47:53 GMT
On Monday 17 December 2007, William A. Rowe, Jr. wrote:
> >> This is CVE-2007-6203. Maybe you should add the reference to the
> >> CHANGES file?
> >
> > I don't think that's a good idea since we don't want to mislead
> > users into thinking a security issue exists here.
>
> it potentially does, just not of httpd's creation.  I liked the
> text for the autoindex issue;
>
>    *) mod_autoindex: Add in Type and Charset options to
> IndexOptions directive. This allows the admin to explicitly set the
> content-type and charset of the generated page and is therefore a
> viable workaround for buggy browsers affected by CVE-2007-4465
> (cve.mitre.org). [Jim Jagielski]
>
> I'd use the phrase "hypothetically buggy clients" in this case,
> since there is not a single proof on this incident.

I agree. It might be exploitable with buggy browser plugins using HTTP 
request splitting. See e.g.
http://www.adobe.com/support/security/advisories/apsa06-01.html

It is definitely a bug in flash and not httpd, of course. But the CVE 
id could be added for reference.

Stefan

Mime
View raw message