Headline
CVE-2005-2088: Bugtraq: A new whitepaper by Watchfire
The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a “Transfer-Encoding: chunked” header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka “HTTP Request Smuggling.”
Bugtraq mailing list archives****A new whitepaper by Watchfire - HTTP Request Smuggling
From: Ory Segal <orysegal () netvision net il>
Date: Mon, 06 Jun 2005 19:09:04 +0300
Ory Segal wrote:
Hello,
Today, Watchfire released a new whitepaper, titled "HTTP Request Smuggling". The full paper can be found in the following link: http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf <BLOCKED::http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf>
The paper’s abstract is copied below:
“We describe a new web entity attack technique – “HTTP Request Smuggling”. The attack technique and the derived attacks are relevant to most web environments and is the result of a HTTP server or device’s failure to properly handle malformed inbound HTTP requests. HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. Cache Server, Proxy Server, Web Application Firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks – web cache poisoning, session hijacking, cross-site scripting and most serious the ability to bypass web application firewall protection. HTTP Request Smuggling sends multiple specially-crafted HTTP requests that cause the two attacked entities to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it. In the Web Cache poisoning attack, this smuggled request will trick the cache server into unintendedly associating a URL to another URL’s page (content), and caching this content for the URL. In the Web Application Firewall attack the smuggled request could be a worm (like Nimda or Code Red) or buffer overflow attack targeting the web server. Finally, because HTTP Request Smuggling enables the attacker to insert or sneak a request into the flow it allows the attacker to manipulate the web server’s request/response sequencing which can allow for credential hijacking and other malicious outcomes.”
Thank you, *Ory Segal */Director of Security Research/ Watchfire (Israel) LTD. Tel: +972-9-9586077, Ext.236 Mobile: +972-54-7739359 e-mail: osegal <BLOCKED::mailto:osegal () watchfire com> at watchfire.com
Current thread:
- A new whitepaper by Watchfire - HTTP Request Smuggling Ory Segal (Jun 06)