CVE-2007-6203

Vulnerability

CVE-2007-6203 is a cross-site scripting (XSS) vulnerability in Apache HTTP Server versions 2.0.x and 2.2.x. The server fails to sanitize the HTTP method specifier header from a request when reflecting it back in a "413 Request Entity Too Large" error message. This behavior occurs when an invalid Content-Length header value triggers the error response [1][2][4]. The vulnerability is similar to CVE-2006-3918.

Exploitation

An attacker needs no authentication and can exploit this vulnerability remotely. The attack requires a user's browser or other web client components capable of sending arbitrary headers in HTTP requests. The attacker crafts an HTTP request with a malicious payload in the method specifier header and an invalid Content-Length value to trigger the 413 error. When the server reflects the payload in the error response, any user viewing that response in a browser may have the malicious script executed in the context of the vulnerable domain [2][4].

Impact

Successful exploitation results in reflected cross-site scripting. An attacker can inject arbitrary HTML or JavaScript into a victim's browser, potentially leading to session hijacking, cookie theft, defacement, or redirection to malicious sites. The impact is limited to the same-origin domain and requires social engineering to trick a user into viewing the crafted server response [1][4].

Mitigation

Patches are available from multiple vendors. IBM released PK65782 for IBM HTTP Server 2.0.47.1 [1]. HP provided updates for HP-UX Apache-based Web Server: versions before v2.2.8.05 (HP-UX B.11.23, B.11.31) and v2.0.59.12 (HP-UX B.11.11, B.11.23, B.11.31) [2]; later a fix was included in Apache-based Web Server v2.0.63.01 (Web Server Suite v2.32) [3]. Ubuntu included fixes in USN-731-1 for Ubuntu 6.06 LTS and 7.10 [4]. Users should upgrade to a fixed version or apply the appropriate patch. There is no known workaround for unpatched installations.