httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Security release needed for 2.0
Date Fri, 09 Sep 2005 16:44:06 GMT
> CAN-2005-2088 moderate: HTTP Request Spoofing
> 
> 	A flaw occured when using the Apache server as a HTTP proxy. A
> 	remote attacker could send a HTTP request with both a
> 	"Transfer-Encoding:  chunked" header and a Content-Length header,
> 	causing Apache to incorrectly handle and forward the body of the
> 	request in a way that causes the receiving server to process it as
> 	a separate HTTP request.  This could allow the bypass of web
> 	application firewall protection or lead to cross-site scripting
> 	(XSS) attacks.
> 	public=20050611
> 	[committed]

Actually this isn't complete as the proxy body handling patch
illustrates.  There is a gross hack in the core, but that's only
triggered at the initial acceptance of the request headers, and
is subject to 'mutation' by *any* module or filter in the processing
chain.  The backport of mod_http_proxy.c needs review, if you are
voulenteering.

Also our TRACE implementation in proxy allows request bodies in 2.0.x,
while I'm not aware of a direct implication, it's unfair to blame client
exploits when we violated the RFC in the first place.

See STATUS/showstoppers.

I see no reason not to ship 2.0.55 complete once the last security
patches have been applied.  In fact, I'll RM a candidate 2.0 tarball
on Sunday if these showstoppers have been reviewed.

Thanks for joining the small chorus, Mark!

Bill



Mime
View raw message