I traded a few emails with Titon (titon[at]bastardlabs.com) regarding the Expect XSS vulnerability in Flash against older versions of Apache. I hadn’t realized that Flash had cloesed down the Expect: header. It appears, however, that there is a way to resurrect that vulnerability. If you recall the old syntax it was:
Well it appears that is now blocked in current versions of Flash. However, Triton found a way around that:
It appears it was doing some sort of pattern match or direct string comparison and by adding anything after the colon you can bypass the protection. Here is an example he created against SecurityFocus. So it looks like the vulnerability is back. It’s surprising how many sites are still vulnerable to this attack. So if you haven’t updated Apache and have any interest in security, you probably should. Nice work by Titon!
Update: Amit alerted me to one f the old papers on flash header injection. The paper came out a year ago. While I don’t think this is exactly the same since this is talking about the expect vuln, it is worthy of mentioning since it’s solved in almost an identical way.