You are viewing a plain text version of this content. The canonical link for it is here.
Posted to current-testers@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2005/07/18 22:52:05 UTC

[patch 2.0] HTTP Request/Response Spoofing/Splitting attacks

As you likely read, there was a simple hack in 2.1.6-alpha
to address part of this class of vulnerabilities, along with a 
simple patch to deal with response headers from an origin server 
when Apache is running as a proxy.  I'd like to offer the entire
testing community a group of patches which will, hopefully, be
incorporated in a prompt release of 2.0.55.

These are the three security patches to 2.0.54 available for review
and testing, and I'd invite the users community to adopt and test
these patches and respond to users@, a +1/-1 and the os/tests you
validated with would be great;

  http://people.apache.org/~wrowe/httpd-2.0-cl-te-protocol.patch

    this simple patch strips the Content-Length (C-L) header from
    any proxy response when that response includes Transfer-Encoding,
    per RFC 2616.  It stops some HTTP Response Splitting.

  http://people.apache.org/~wrowe/httpd-2.0.54-proxy-request.patch

    this patch refactors request body handling within httpd-2.0,
    so that for all short request bodies, C-L is used, for long
    bodies T-E is only used for client T-E bodies (or if you set
    the proxy-sendchunks variable), and C-L bodies streamed through
    a disk cache is the most common preference, forced if you set
    the proxy-sendcl variable.  It stops some HTTP Request Splitting.

  http://people.apache.org/~wrowe/httpd-2.0-cl-te-protocol.patch

    this is an all-around good patch, it removes the C-L header
    whenever the Transfer-Encoding header is used, per RFC 2616.
    It applies to -all- requests from a client to any module,
    but masks the bug that patch -proxy-request4.patch solves,
    so add this one in after you are happy that -proxy-request4
    does the right thing.  It stops some HTTP Request Splitting.

as well as a special patch for a frequently requested feature

  http://people.apache.org/~wrowe/httpd-2.0-trace.patch

which introduces TraceEnable [on|off|extended].

Although TraceEnable on|off does what you think it does, the
TraceEnable extended  lets you test request bodies (these are
actually prohibited by the TRACE specification in RFC 2616.)
So don't leave a public server as TraceEnable extended, but you
might want to use it for testing the patches above.

Please, give these a whirl; I suspect the user community has
a greater vested interest in seeing these adopted than the dev
community does ;)  All of these are already fixed in the 2.2.x
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x
repository, currently in alpha for a future Apache 2.2 release,
and will be available as 2.1.7-alpha in the very near future.

This post is mostly for the benefit of existing 2.0.54 users
[im?]patiently awaiting a fix.  

If you observe a problem, please identify if it is a new bug
(regression) from 2.0.54; if you observe a bug fixed by this 
refactored code, please identify that, as well.

Yours,

Bill