CAN-2005-2088 moderate: HTTP Request Spoofing A flaw occured when using the Apache server as a HTTP proxy. A remote attacker could send a HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, causing Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request. This could allow the bypass of web application firewall protection or lead to cross-site scripting (XSS) attacks. public=20050611 [committed]
Actually this isn't complete as the proxy body handling patch illustrates. There is a gross hack in the core, but that's only triggered at the initial acceptance of the request headers, and is subject to 'mutation' by *any* module or filter in the processing chain. The backport of mod_http_proxy.c needs review, if you are voulenteering. Also our TRACE implementation in proxy allows request bodies in 2.0.x, while I'm not aware of a direct implication, it's unfair to blame client exploits when we violated the RFC in the first place. See STATUS/showstoppers. I see no reason not to ship 2.0.55 complete once the last security patches have been applied. In fact, I'll RM a candidate 2.0 tarball on Sunday if these showstoppers have been reviewed. Thanks for joining the small chorus, Mark! Bill