On Monday 17 December 2007, William A. Rowe, Jr. wrote: > >> This is CVE-2007-6203. Maybe you should add the reference to the > >> CHANGES file? > > > > I don't think that's a good idea since we don't want to mislead > > users into thinking a security issue exists here. > > it potentially does, just not of httpd's creation. I liked the > text for the autoindex issue; > > *) mod_autoindex: Add in Type and Charset options to > IndexOptions directive. This allows the admin to explicitly set the > content-type and charset of the generated page and is therefore a > viable workaround for buggy browsers affected by CVE-2007-4465 > (cve.mitre.org). [Jim Jagielski] > > I'd use the phrase "hypothetically buggy clients" in this case, > since there is not a single proof on this incident.
I agree. It might be exploitable with buggy browser plugins using HTTP request splitting. See e.g. http://www.adobe.com/support/security/advisories/apsa06-01.html It is definitely a bug in flash and not httpd, of course. But the CVE id could be added for reference. Stefan
