CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
Haute
Incomplete
2008-01-30
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Improper Neutralization of HTTP Headers for Scripting Syntax
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Technologies
Class: Web Based (Undetermined)Name: Web Server (Undetermined)
Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Integrity Confidentiality Availability | Execute Unauthorized Code or Commands Note: Run arbitrary code. | |
| Confidentiality | Read Application Data Note: Attackers may be able to obtain sensitive information. |
Exemples observés
| Références | Description |
|---|---|
CVE-2006-3918 | Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks. |
Mesures d’atténuation potentielles
Phases : Architecture and DesignPerform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.
Phases : Architecture and Design
Disable script execution functionality in the clients' browser.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| Evgeny Lebanidze | Cigital | Draft 8 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Sean Eidemiller | Cigital | added/updated demonstrative examples | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Observed_Example | |
| CWE Content Team | MITRE | updated Description, Name, Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Observed_Examples | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Enabling_Factors_for_Exploitation | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |
