Apache protocol.c Cookie Disclosure
https://packetstormsecurity.com/files/109284/httponly-disclose.txt
https://packetstormsecurity.com/files/109284/httponly-disclose.txthttps://packetstormsecurity.com/files/109284/Apache-protocol.c-Cookie-Disclosure.htmlTue, 31 Jan 2012 11:11:11 GMTProof of concept code for a vulnerability in protocol.c from Apache versions 2.2.x through 2.2.21. The issue is that it does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies.