Apache Request Smuggling Vulnerability Found
An anonymous reader writes "Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."
1.3.x is very stable and production ready
2.0.x is very stable and production ready, but it doesn't have the same amount of years on its neck as 1.3.x - and thus doesn't have as widespread deployment.
2.1.x is alpha-quality, and it has the fix..
messed up priorities?
Apache admins who read the watchfire paper felt fairly safe as its technique only resulted in limited effects to Apache. The technique described simply used multiple Content-Length headers, which Apache effectively handled. This modified technique incorporates the use of chunked encoding to open Apache up to the wider effects that other servers experienced with the simpler exploit. After reading this, Apache admins should plot their upgrades in short order.