/ Zope / Apsis / Pound Mailing List / Archive / 2005 / 2005-07 / HTTP Request Smuggling

[ << ] [ >> ]

[ Pound & Secure Cookies / Jonathan Cyr ... ] [ IE, Exchange and SSL issue / Martin Glazer ... ]

HTTP Request Smuggling
Andrew Taylor <ataylor(at)rentokil-initial.com>		 2005-07-13 10:49:13 [ FULL ] 
Hi,

We've just been made aware of a vulnerability in some HTTP servers 
called HTTP Request Smuggling (see 
http://www.securiteam.com/securityreviews/5GP0220G0U.html)

What seems to be common with these attacks is the duplicate 
Content-Length headers. Depending on the HTTP server running you get 
different behaviour as described at the URL above.

Is there a way (or could there be a way) in Pound to look for these 
duplicate headers and if found for the request to be discarded rather 
than passed to a back end server.

Comments much appreciated.
[...]
Re: [Pound Mailing List] HTTP Request Smuggling
Robert Segall <roseg(at)apsis.ch>		 2005-07-13 13:28:48 [ FULL ] 
On Wed, 13 Jul 2005 09:49:13 +0100 Andrew Taylor
<ataylor(at)rentokil-initial.com> wrote:
[...]

Request smuggling can be achieved by using multiple Content-length
headers, but also by using Content-encoding, transfer modes and so on.

As things stand Pound will use the LAST Content-length header in order
to decide on the request size. See line 758 in http.c.

You can add a check for multiple headers there, but given that there are
other ways of smuggling a request this is not enough...[...]
MailBoxer