Unfiltered header injection in Apache 1.3.34/2.0.57/2.2.1
Description
Apache HTTP Server versions 1.3.34, 2.0.57, and 2.2.1 contain a header injection vulnerability in the handling of the "Expect" HTTP header. When Apache receives a malformed Expect header, it reflects the content back to the client without proper sanitization, allowing arbitrary HTML and JavaScript injection. While this header cannot normally be controlled by attackers, research by Amit Klein demonstrated that Adobe Flash 6/7+ can be exploited to forge HTTP request headers, enabling cross-site scripting (XSS) attacks against users of Internet Explorer and Firefox browsers.
Affected versions: Apache 1.3.34 and earlier, 2.0.57 and earlier, 2.2.1 and earlier.
Remediation
Upgrade Apache HTTP Server to a patched version immediately. This vulnerability has been fixed in the following releases:
• Apache 1.3.35 or later (for 1.3.x branch)
• Apache 2.0.58 or later (for 2.0.x branch)
• Apache 2.2.2 or later (for 2.2.x branch)
Remediation steps:
1. Identify the current Apache version by running:
httpd -vor
apache2 -v
2. Download the appropriate patched version from the official Apache HTTP Server website (http://httpd.apache.org/)
3. Review the upgrade documentation for your specific version and platform
4. Test the upgrade in a non-production environment first
5. Schedule a maintenance window and perform the upgrade
6. Verify the new version is running and test critical functionality
If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) to filter malicious Expect headers as a temporary mitigation, though this is not a substitute for patching.