Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Request Smuggling Vulnerability Found

Posted by CowboyNeal on from the web-jacking dept.

An anonymous reader writes "Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."

5 of 168 comments (clear)

  1. 2.1.6 by DigitumDei · · Score: 5, Informative

    2.1.6 has been released to fix this. This was responded to quickly, so now its just up to the web masters to update their servers.

    --
    East Coast Brewers
  2. Another Dupe by fv · · Score: 5, Informative

    This seems to be a duplicate of the June 12 article on HTTP Request Smuggling. I don't see anything new here, as the original paper also talks about Apache being susceptible to this relatively minor (yet still interesting) issue.

    -Fyodor
    Concerned about your network security? Try the free Nmap Security Scanner.

  3. only affects certain setups by prockcore · · Score: 5, Informative

    Looking at their whitepaper. This seems to only affect a caching service or proxy.

    The attack basically makes the cache think you're requesting one page, but it passes a different request to Apache.

    So unless you have some service between your web server and the public, this vulnerability doesn't seem to affect you.

    To wit: you ask the cache for Page A with a GET for Page B buried in the header. The cache finds that Page A has expired, and passes your request to Apache. Apache instead serves up Page B, the Cache then sticks Page B's data into Page A's cache.

  4. Story & comments are all WRONG by FireChipmunk · · Score: 5, Informative

    First, 1.3, 2.0. and 2.1 were all vulnerable to some parts of this security issue.

    Second, it is not a major security issue for most users.

    It can only be useful if you are running mod_proxy. And even then, it just allows unfiltered requests to the backend. Most people don't even use mod_proxy. If you do, this could have bad implications, but someone still needs to eploit your backend server. It doesn't give anyone a shell or anything like that.

    2.1.6-alpha was released with a fix. 2.0.55 should be coming out very shortly.

  5. Re:Fix-patch in 5...4...3... by photon317 · · Score: 5, Informative


    The bottom line is, according to archive.org, apache themselves claimed the "a patchy server" explanation on their own FAQ page from 1997 through Oct 2002.

    Somewhere in there, they started tacking on an extra paragraph saying that to some developers, it also connoted the Indian meaning.

    Somewhere between Oct 2003 and Feb 2003, they started calling the "a patchy server" explanation a myth, and saying the real explanation was the Indian thing.

    Those of us who were around back when people used to run things like CERN httpd and NCSA httpd remember well that Apache was originally just a set of patches to fix/improve NCSA httpd, before it finally branched off into it's own seperate product. The "patch server" explanation fits the facts of the matter best.

    --
    11*43+456^2