CVE-2006-3918

Apache HTTP Server 1.3.3-1.3.34 - Cross-Site Scripting via Expect Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-3918. PoCs published by Thiago Zaninotti, reallyngb.

AI-analyzed exploit summary This exploit demonstrates a header injection vulnerability in Apache HTTP Server, allowing an attacker to inject malicious scripts via the 'Expect' header. The PoC uses ActionScript to send a crafted HTTP request with a script payload, potentially leading to XSS attacks.

Description

http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Thiago Zaninotti · textremotelinux
https://www.exploit-db.com/exploits/28424

This exploit demonstrates a header injection vulnerability in Apache HTTP Server, allowing an attacker to inject malicious scripts via the 'Expect' header. The PoC uses ActionScript to send a crafted HTTP request with a script payload, potentially leading to XSS attacks.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server (versions affected by CVE-2006-3918)
No auth needed
Prerequisites: A vulnerable Apache HTTP Server instance · Ability to send crafted HTTP requests to the target
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by reallyngb · poc
https://github.com/reallyngb/badstore-webapp-pentest

The repository provides a black-box penetration test report for the BadStore e-commerce platform, covering SQL injection, CVE-2006-3918, and other attack techniques. It includes MITRE ATT&CK mappings and OSINT-driven findings but lacks direct exploit code.

Classification
Writeup 70%
Attack Type
Sqli
Complexity
Moderate
Reliability
Theoretical
Target: BadStore e-commerce platform
No auth needed
Prerequisites: access to BadStore web application
mistral-large-3 · analyzed May 29, 2026 Full analysis →

References (56)

Core 56
Core References
Broken Link vendor-advisory x_refsource_sgi
ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1572
Exploit, Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=rev&revision=394965
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28749
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-1167
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19661
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21744
Broken Link, Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=125631037611762&w=2
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024144
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22317
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22523
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=130497311408250&w=2
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/5089
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3264
Broken Link, Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21598
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21399
Third Party Advisory x_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21478
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2006-0619.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21986
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=129190899612998&w=2
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4207
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21848
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2006-0618.html
Third Party Advisory vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2006-0692.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40256
Third Party Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_51_apache.html
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2963
Not Applicable, Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21174
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-575-1
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29640
Exploit, Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1294
Third Party Advisory vendor-advisory x_refsource_openbsd
http://openbsd.org/errata.html#httpd2
Third Party Advisory vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg24013080
Not Applicable, Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21172
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016569
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2964
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22140

Scores

EPSS 0.9428
EPSS Percentile 99.8%

Details

CWE
CWE-79
Status published
Products (8)
apache/http_server 1.3.3 - 1.3.35
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 6.10
canonical/ubuntu_linux 7.04
canonical/ubuntu_linux 7.10
debian/debian_linux 3.1
redhat/enterprise_linux_server 2.0
redhat/enterprise_linux_workstation 2.0
Published Jul 28, 2006
Tracked Since Feb 18, 2026