Description
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
Remediation
References
Related Vulnerabilities
WordPress Plugin Contact Form DB Multiple Cross-Site Scripting Vulnerabilities (2.8.15)
Joomla! Core 3.x.x SQL Injection (3.0.0 - 3.4.6)
WordPress Plugin Answer My Question Multiple Cross-Site Scripting Vulnerabilities (1.1)
WordPress Plugin Google XML Sitemaps Cross-Site Scripting (4.0.9)
WordPress Plugin Advanced Ads-Ad Manager & AdSense Unspecified Vulnerability (1.7.1.1)