A fix is available
APAR status
Closed as program error.
Error description
The default error response for HTTP status 413 echoes the input HTTP method, such as POST or PUT, in the response without HTML-escaping it. Theoretical client software defects could be used with this incorrect response to create a cross-site scripting vulnerability. (No such defects have been identified.) Although this defect is not a web server vulnerability, the issue is being tracked by CVE-2007-6203 because, when the problem was first found, it was thought that this web server defect was directly exploitable.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All * **************************************************************** * PROBLEM DESCRIPTION: invalid data from client echoed in * * error responses; potential client software defects, in * * combination with these error reponses, could be used in a * * cross-site scripting attack * **************************************************************** * RECOMMENDATION: This fix is recommended as a preventative * * measure for all customers. * **************************************************************** Error responses for HTTP errors 405, 411, and 417 echoed the input HTTP method in the error response unescaped. User input should be HTML-escaped in server-generated responses to avoid potential cross-site scripting attacks. Note that there is no known way for an attacker to control the input HTTP method sent from the client in order to exploit these error responses.
Problem conclusion
When generating the error responses for errors 405, 411, and 417, the input HTTP method is HTML-escaped when included in the error response, in order to prevent potential cross-site scripting vulnerabilities with clients that can be forced to send requests with arbitrary HTTP methods. . This fix is targeted for fix packs 6.1.0.15 6.0.2.27 and cumulative fix PK65782 for IBM HTTP Server 2.0.47
Temporary fix
Comments
APAR Information
APAR number
PK57952
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2007-12-10
Closed date
2007-12-20
Last modified date
2008-05-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
HTTPD
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60W PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61W PSN
UP
R61Z PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 September 2022