Friday, July 08, 2005

Apache Request Smuggling Vulnerability Found: "An anonymous reader writes 'Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server.'" Extract:
All versions of Apache previous to 2.1.6 are vulnerable to a HTTP request smuggling attack which can allow malicious piggybacking of false HTTP requests hidden within valid content. This method of HTTP Request Smuggling was first discussed by Watchfire some time ago. The issue has been addressed by an update to version 2.1.6.

The vulnerability involves a crafted request with a 'Transfer-Encoding: chunked' header and a 'Content-Length' can cause Apache to forward a modified request with the original 'Content-Length' header. The malicious request may then piggyback with the valid HTTP request possibly resulting in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This vulnerability has resurfaced due to vendor confirmation, the original Watchfire Whitepaper on HTTP Request Smuggling is here.



(Via Slashdot.)

No comments: