[VIM] CVE-2007-5944 vs CVE-2006-3918
Steven M. Christey
coley at linus.mitre.org
Wed Nov 21 00:34:58 UTC 2007
> Is the XSS issue covered by CVE-2007-5944 any different from that in
> CVE-2006-3918? Both arise from a failure to filter user-supplied input
> passed via an Expect header.
CVE-wise, we'll do separate identifiers for separate
codebases/implementations.
These do look pretty similar. So, the only question is whether WebSphere
Web Application server is built on top of Apache or not - my sense is that
it isn't (except maybe a community edition), although
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tins_installIHS2.html
suggests strong support for Apache as a plugin (via IBM HTTP Server, which
is "powered by apache").
Current CVE analysis is:
ABSTRACTION: CVE-2006-3918 is for Apache. This is based on IBM
documents that mention WebSphere Application Server (WAS). WAS can
install an IBM HTTP Server plug-in, which is based on Apache, but it can
also install separate products. It is not clear whether WAS implements
its own functionality that has the Expect header issue, or whether it's
"inheriting" it from the web servers that it uses.
I've made a note of the possible dupe.
- Steve
More information about the VIM
mailing list