Steve Kemp wrote: > > | Proxy HTTP: If a response contains both Transfer-Encoding > > | and a Content-Length, remove the Content-Length to eliminate > > | an HTTP Request Smuggling vulnerability and don't reuse the > > | connection, stopping some HTTP Request Spoofing attacks. > > Can I be the first to say that I don't understand the nature of this > issue?
This seems to be an Apache specific variation of the HTTP Request Smuggling attacks described in the original Watchfire paper: http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf Apache rejects packets with multiple Content-Length headers, but it seems as if it uses size information constructed from the Transfer- Encoding headers instead, which make this attack possible? Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]