To fix this, either
- Upgrade to the "2.0.2 release":plone-2.0.2-released *or*
- "Download the simple fix":/documentation/errata/Plone-2.0-headerfix.zip (8 KB) and unpack into your Plone install and restart your Plone server. Full instructions included, copying two files to the correct location will fix it.
**No other Plone versions than 2.0 is affected by this. Plone 1.0.x sites are not vulnerable.**
**The header insertion is not possible to do from a web browser, it needs to be scripted to be possible at all.**
There is one reported site that has been the victim of this problem, thanks to John Ferlito for discovering and analysing the problem thoroughly.
Thanks to Christian Heimes (Tiran), Leonard Norrgård (vinsci) and Geoff Davis (geoffd) for their extremely swift response and testing/fixing. The bug was fixed in CVS within 48 hours after being reported.