CAN-2005-2088 moderate: HTTP Request Spoofing
A flaw occured when using the Apache server as a HTTP proxy. A
remote attacker could send a HTTP request with both a
"Transfer-Encoding: chunked" header and a Content-Length header,
causing Apache to incorrectly handle and forward the body of the
request in a way that causes the receiving server to process it as
a separate HTTP request. This could allow the bypass of web
application firewall protection or lead to cross-site scripting
(XSS) attacks.
public=20050611
[committed]
Actually this isn't complete as the proxy body handling patch
illustrates. There is a gross hack in the core, but that's only
triggered at the initial acceptance of the request headers, and
is subject to 'mutation' by *any* module or filter in the processing
chain. The backport of mod_http_proxy.c needs review, if you are
voulenteering.
Also our TRACE implementation in proxy allows request bodies in 2.0.x,
while I'm not aware of a direct implication, it's unfair to blame client
exploits when we violated the RFC in the first place.
See STATUS/showstoppers.
I see no reason not to ship 2.0.55 complete once the last security
patches have been applied. In fact, I'll RM a candidate 2.0 tarball
on Sunday if these showstoppers have been reviewed.
Thanks for joining the small chorus, Mark!
Bill
