CVE-2007-6203

Public Date:
2007-11-30
Bugzilla:
409831: CVE-2007-6203 httpd: Garbage before http method name is not escaped in a reply in case of errorneous request

The MITRE CVE dictionary describes this issue as:

Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

Find out more about CVE-2007-6203 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed HTTP method to a target site. However, this has been fixed in Red Hat Enterprise Linux 5 via RHBA-2009:0185 as a bug fix.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.