Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers

[Moritz Muehlenhoff <jmm@inutil.org>]

Steve Kemp wrote:
> > |    Proxy HTTP: If a response contains both Transfer-Encoding
> > |    and a Content-Length, remove the Content-Length to eliminate
> > |    an HTTP Request Smuggling vulnerability and don't reuse the
> > |    connection, stopping some HTTP Request Spoofing attacks.
> 
>   Can I be the first to say that I don't understand the nature of this
>  issue?

This seems to be an Apache specific variation of the HTTP Request Smuggling
attacks described in the original Watchfire paper:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf

Apache rejects packets with multiple Content-Length headers, but it
seems as if it uses size information constructed from the Transfer-
Encoding headers instead, which make this attack possible?

Cheers,
        Moritz