Hi,

 

Has anybody tried stopping Apache Expect Header XSS vulnerability with mod_security?

 

I tried these two filters, but they did not work:

 

SecFilterSelective HEADERS_NAMES "!^(Host|User-Agent|Accept|Accept-Encoding|Accept-Language|Accept-Charset|Keep-Alive|Connection|Referer|TE)$"

 

 

Or

 

SecFilterSelective HEADERS_NAMES "(Expect)”

 

I tried the first the filters with Referer header and they worked fine; but somehow mod security did not stop connections coming in with Expect header and apache was still vulnerable to Expect Header XSS vulnerability.

 

Any comments?

 

Thanks,

 

- Birol