You are viewing a plain text version of this content. The canonical link for it is here.
Posted to current-testers@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2005/07/18 22:52:05 UTC
[patch 2.0] HTTP Request/Response Spoofing/Splitting attacks
As you likely read, there was a simple hack in 2.1.6-alpha
to address part of this class of vulnerabilities, along with a
simple patch to deal with response headers from an origin server
when Apache is running as a proxy. I'd like to offer the entire
testing community a group of patches which will, hopefully, be
incorporated in a prompt release of 2.0.55.
These are the three security patches to 2.0.54 available for review
and testing, and I'd invite the users community to adopt and test
these patches and respond to users@, a +1/-1 and the os/tests you
validated with would be great;
http://people.apache.org/~wrowe/httpd-2.0-cl-te-protocol.patch
this simple patch strips the Content-Length (C-L) header from
any proxy response when that response includes Transfer-Encoding,
per RFC 2616. It stops some HTTP Response Splitting.
http://people.apache.org/~wrowe/httpd-2.0.54-proxy-request.patch
this patch refactors request body handling within httpd-2.0,
so that for all short request bodies, C-L is used, for long
bodies T-E is only used for client T-E bodies (or if you set
the proxy-sendchunks variable), and C-L bodies streamed through
a disk cache is the most common preference, forced if you set
the proxy-sendcl variable. It stops some HTTP Request Splitting.
http://people.apache.org/~wrowe/httpd-2.0-cl-te-protocol.patch
this is an all-around good patch, it removes the C-L header
whenever the Transfer-Encoding header is used, per RFC 2616.
It applies to -all- requests from a client to any module,
but masks the bug that patch -proxy-request4.patch solves,
so add this one in after you are happy that -proxy-request4
does the right thing. It stops some HTTP Request Splitting.
as well as a special patch for a frequently requested feature
http://people.apache.org/~wrowe/httpd-2.0-trace.patch
which introduces TraceEnable [on|off|extended].
Although TraceEnable on|off does what you think it does, the
TraceEnable extended lets you test request bodies (these are
actually prohibited by the TRACE specification in RFC 2616.)
So don't leave a public server as TraceEnable extended, but you
might want to use it for testing the patches above.
Please, give these a whirl; I suspect the user community has
a greater vested interest in seeing these adopted than the dev
community does ;) All of these are already fixed in the 2.2.x
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x
repository, currently in alpha for a future Apache 2.2 release,
and will be available as 2.1.7-alpha in the very near future.
This post is mostly for the benefit of existing 2.0.54 users
[im?]patiently awaiting a fix.
If you observe a problem, please identify if it is a new bug
(regression) from 2.0.54; if you observe a bug fixed by this
refactored code, please identify that, as well.
Yours,
Bill