=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN240
_____________________________________________________________________

DATE                      : 29/06/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running F-Secure Policy Manager Server versions 8.00, 8.10, 8.11.

======================================================================
http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html
______________________________________________________________________

Security Advisory FSC-2010-2
Expect-header sanitation vulnerability

Date issued 	2010-06-23
Last updated 	2010-06-23
Risk level 	Low (Low/Medium/High/Critical)

Brief description 	
F-Secure Policy Manager Server does not sanitize the Expect header from an
HTTP request when it is reflected back in an error message, which might allow
cross-site scripting (XSS) style attacks using web client components that can
send arbitrary headers in requests.
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918.

Mitigating factors 	
NA

Affected platforms 	
All platforms supported by the affected products.

Products 	
F-Secure Policy Manager Server 8.00
F-Secure Policy Manager Server 8.10 and 8.11

Risk level 	
Low (Low/Medium/High/Critical)

Notes 	
- -

Advisory location 	
http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html

Product 	
Versions 	
Download

F-Secure Policy Manager Server for Windows 	
8.00 	
ftp.f-secure.com/support/hotfix/fspm/fspm-8.00-hotfix-1-windows.zip

F-Secure Policy Manager Server for Linux 	
8.00 	
ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.00-hotfix-1-linux.zip

F-Secure Policy Manager Server for Windows 	
8.10, 8.11 	
ftp.f-secure.com/support/hotfix/fspm/fspm-8.1x-hotfix-2-windows.zip

F-Secure Policy Manager Server for Linux 	
8.10, 8.11 	
ftp.f-secure.com/support/hotfix/fspm-linux/fspm-8.1x-hotfix-1-linux.zip

Revision history 	
- -

Credits 	
- -

Contact information 	
Support: http://www.f-secure.com/en_EMEA/support/
Website: http://www.f-secure.com/

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================