Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers
Steve Kemp wrote:
> > | Proxy HTTP: If a response contains both Transfer-Encoding
> > | and a Content-Length, remove the Content-Length to eliminate
> > | an HTTP Request Smuggling vulnerability and don't reuse the
> > | connection, stopping some HTTP Request Spoofing attacks.
>
> Can I be the first to say that I don't understand the nature of this
> issue?
This seems to be an Apache specific variation of the HTTP Request Smuggling
attacks described in the original Watchfire paper:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
Apache rejects packets with multiple Content-Length headers, but it
seems as if it uses size information constructed from the Transfer-
Encoding headers instead, which make this attack possible?
Cheers,
Moritz
Reply to: