Security Advisories

FSC-2010-2: EXPECT-HEADER SANITATION VULNERABILITY

Description

F-Secure Policy Manager Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests.

For more information on this vulnerability, see CVE-2006-3918.

Affected Products


Risk Level: LOW (Low/Medium/High/Critical)

F-Secure Policy Manager Server 8.00
F-Secure Policy Manager Server 8.10 and 8.11

 

Platforms

All supported platforms

 

Mitigating Factor

A fix for the problem has been distributed through the malware definition database update channel. This advisory only affects systems that, for some reason, are not updated automatically.

 

Patch Available

Product Versions        Download
F-Secure Policy Manager Server for Windows     8.00 ftp.f-secure.com/support/hotfix/fspm/fspm-8.00-hotfix-1-windows.zip
F-Secure Policy Manager Server for Linux    8.00 ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.00-hotfix-1-linux.zip
F-Secure Policy Manager Server for Windows    8.10, 8.11 ftp://ftp.f-secure.com/support/hotfix/fspm/fspm-8.1x-hotfix-2-windows.zip
F-Secure Policy Manager Server for Linux    8.10, 8.11 ftp://ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.1x-hotfix-1-linux.zip

Date Issued: 2010-06-23
Last Updated: 2010-06-23

Get
Support

For documentation and product support,
visit our support site.

Learn More

F-Secure Community

Give advice. Get advice. Share the knowledge
on our free discussion forum.

Visit Now