SecurityTracker.com Archives - Apache Chunked Transfer-Encoding and Content-Length Processing Lets Remote Users Smuggle HTTP Requests

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Apache

Vendors: Apache Software Foundation

Apache Chunked Transfer-Encoding and Content-Length Processing Lets Remote Users Smuggle HTTP Requests

SecurityTracker Alert ID: 1014323

SecurityTracker URL: http://securitytracker.com/id?1014323

CVE Reference: CVE-2005-2088 (Links to External Site)

Updated: Mar 2 2006

Original Entry Date: Jun 29 2005

Impact: Modification of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 2.1.6

Description: A vulnerability was reported in the Apache web server. A remote user may be able to conduct HTTP request smuggling attacks against web-based applications on the target system.

A remote user can submit a specially crafted request with both a 'Transfer-Encoding: chunked' header and a 'Content-Length' header to cause Apache to forward the reassembled request with the original Content-Length HTTP header value. As a result, a malicious request may be embedded within another request as processed by the subsequent application (such as an application server or a proxied system).

This vulnerability was reported by Watchfire.

A description of HTTP request smuggling attacks is available at:

http://www.watchfire.com/resources/HTTP-R equest-Smuggling.pdf

Impact: A remote user may be able to cause Apache to reassemble a connection in such a way that an application (such as an application server) to incorrectly process the connection.

Solution: The vendor has issued a fixed version (2.1.6). A fix is also available for the 2.0 series in the Apache SVN repository.

Vendor URL: httpd.apache.org/ (Links to External Site)

Cause: State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Jul 26 2005	(Red Hat Issues Fix) Apache Chunked Transfer-Encoding and Content-Length Processing Lets Remote Users Smuggle HTTP Requests (bugzilla@redhat.com) Red Hat has released a fix.
Nov 30 2005	(Apple Issues Fix) Apache Chunked Transfer-Encoding and Content-Length Processing Lets Remote Users Smuggle HTTP Requests (Apple Product Security <product-security@apple.com>) Apple has released a fix for Mac OS X.
Mar 2 2006	(Sun Issues Partial Fix) Apache Chunked Transfer-Encoding and Content-Length Processing Lets Remote Users Smuggle HTTP Requests Sun has issued a fix for Solaris 9 and 10.
Mar 17 2006	(HP Issues Fix for HP-UX/Virtualvault) Apache Chunked Transfer-Encoding and Content-Length Processing Lets Remote Users Smuggle HTTP Requests HP has issued a fix for Apache on HP-UX running Virtualvault.

Source Message Contents

Date: Wed, 29 Jun 2005 02:46:25 -0400
Subject: http://www.apache.org/dist/httpd/CHANGES_2.1

 
 
 
> Changes with Apache 2.1.6
 
>   *) SECURITY: 
>      proxy HTTP: If a response contains both Transfer-Encoding and a 
>      Content-Length, remove the Content-Length and don't reuse the
>      connection, stopping some HTTP Request smuggling attacks.
>      [Jeff Trawick]
 
 
> Changes with Apache 2.1.5
 
>   *) SECURITY: 
>      core: If a request contains both Transfer-Encoding and a Content-Length,
>      remove the Content-Length, stopping some HTTP Request smuggling attacks.
>      [Paul Querna]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2006, SecurityGlobal.net LLC