FSC-2010-2: Expect-header Sanitation Vulnerability
Brief Description
F-Secure Policy Manager Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests.
For more information on this vulnerability, see CVE-2006-3918.
Affected Platforms
All supported platforms
Products
Risk Level: LOW (Low/Medium/High/Critical)
• F-Secure Policy Manager Server 8.00
• F-Secure Policy Manager Server 8.10 and 8.11
Mitigating Factors
A fix for the problem has been distributed through the malware definition database update channel. This advisory only affects systems that, for some reason, are not updated automatically.
Patch Available
| Product | Versions | Download |
|---|---|---|
| F-Secure Policy Manager Server for Windows | 8.00 | ftp.f-secure.com/support/hotfix/fspm/fspm-8.00-hotfix-1-windows.zip |
| F-Secure Policy Manager Server for Linux | 8.00 | ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.00-hotfix-1-linux.zip |
| F-Secure Policy Manager Server for Windows | 8.10, 8.11 | ftp://ftp.f-secure.com/support/hotfix/fspm/fspm-8.1x-hotfix-2-windows.zip |
| F-Secure Policy Manager Server for Linux | 8.10, 8.11 | ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.1x-hotfix-1-linux.zip |
Date Issued: 2010-06-23
Last Updated: 2010-06-23
