1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Product Security

FSC-2010-2: Expect-header Sanitation Vulnerability


Brief Description

F-Secure Policy Manager Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests.

For more information on this vulnerability, see CVE-2006-3918.

Affected Platforms   

All supported platforms


Risk Level: LOW (Low/Medium/High/Critical)

•  F-Secure Policy Manager Server 8.00
•  F-Secure Policy Manager Server 8.10 and 8.11

Mitigating Factors

A fix for the problem has been distributed through the malware definition database update channel. This advisory only affects systems that, for some reason, are not updated automatically.

Patch Available

Product Versions        Download
F-Secure Policy Manager Server for Windows     8.00 ftp.f-secure.com/support/hotfix/fspm/fspm-8.00-hotfix-1-windows.zip
F-Secure Policy Manager Server for Linux    8.00 ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.00-hotfix-1-linux.zip
F-Secure Policy Manager Server for Windows    8.10, 8.11 ftp://ftp.f-secure.com/support/hotfix/fspm/fspm-8.1x-hotfix-2-windows.zip
F-Secure Policy Manager Server for Linux    8.10, 8.11 ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.1x-hotfix-1-linux.zip

Date Issued: 2010-06-23
Last Updated: 2010-06-23

Get Support online

For documentation and product support, visit our Support site.


F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.