Hi,

    We have pound in front of some tomcats. Qualys (www.qualys.com) scan our
servers to report us vulnerabilities.

Here is the "Scan Vulnerabilities Report" we received:

   Severity Analysis 
        5  Vulnerability:  Apache Chunked-Encoding Memory Corruption
Vulnerability 
            Qualys ID : 86352    CVE ID : CVE-2002-0392 
            Port : 80  
            Diagnosis:  
            Apache is a freely available Web server for Unix and Linux
variants, as well as Microsoft operating systems. Various products, such as
StrongHold, Oracle 9iAS and IBM Websphere, use or bundle Apache.

            The HTTP protocol specifies a method of data coding called 'Chunked
Encoding', designed to facilitate fragmentation of HTTP requests in transit. A
vulnerability has been discovered in the Apache implementation of 'Chunked
Encoding'. When processing requests coded with the 'Chunked Encoding'
mechanism, Apache fails to properly calculate required buffer sizes. This is
due to improper (signed) interpretation of an unsigned integer value.

            On Windows and Netware platforms, Apache uses threads within a
single server process to handle concurrent connections. Causing the server
process to crash on these platforms may result in a denial of service.
            The link 
            http://httpd.apache.org/info/security_bulletin_20020617.txt
provides additional information on this vulnerability for Apache running on
Windows.
           
            Consequences:  This vulnerability can be exploited by an attacker
to cause a Denial of Service and even execute arbitrary code on the vulnerable
machine.  
            Solution:  
            This vulnerability has been fixed in Apache 1.3.26 and Apache
2.0.37. Please upgrade to the latest version.

            An efix (via APAR PQ62369) is available for IHS from the IBM HTTP
Server Downloads webpage.

            A complete list of vendor status and fixes can be found in CERT
advisory CA-2002-17
           
            Result:  Detailed result listings are provided in the Free 7-day
Trial  
            ^ back to top    
     



We don't have any apache running on our server, but qualys seems to detect an
Apache Vulnerability. 
  a.. Is pound secured?
  b.. Can I make something to prevent qualys reporting a such vulnerability?
  c.. We believe in pound, but such reports could prevent some company to use
it. (It's a matter of trust between the company and its customers)
  d.. To test, you can make a qualys freescan at this URL: https://freescan.qualys.com/index.php?lsid=6302
For us, pound is the best reverse-proxy solution we've seen, thank you to help
us adopt it!!!

Regards,
Patrice

On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.[...]

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Thank you,

We're looking for vulnerabilities in our tomcat installation.

Best regards,
Patrice


----- Original Message -----
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/11272073
69000/1127212536000

Hi,

    Thank you for your reply.

Our servers are Fedora Core 4
Our back-end servers are Tomcat 5.5.9

    We've make two different security scan:
1/ pound in front of our tomcats
    Qualys detects a severe vulnerability "Apache Chunked-Encoding Memory
Corruption Vulnerability" (see below)

2/ tomcats alone accepting direct traffic
    Qualys reports no vulnerabilities at all.

Some observations:
  1.. It seems that tomcat 5.5.9 doesn't have the "Apache Chunked-Encoding
Memory Corruption Vulnerability". 
  2.. It seems that pound is not so transparent to qualys scan.
According to your reply, we know that pound doesn't buffer the data.
I'm not understanding very well, in order to dispatch the http request to the
back-end, pound must open it to macth it to a urlgroup. 
What happen if my URL is very very very very very long? What happen if I use
Chunked Transfer Coding? Can I cause some damage? 

Thank you!!!

Best regards,

Patrice



----- Original Message ----- 
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory
Corruption Vulnerability


On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.
[...]

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!
[...]

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.
[...]

Glad you like it. Hopefully you'll help make it better.[...]

On Mon, 26 Sep 2005 15:49:52 +0200 Patrice Léonard
<patrice.leonard(at)citobi.be> wrote:
[...]

You're welcome.
[...]

...and it seems your back-end - or at least the one being used - is not
the same Tomcat as the one you tested.

Pound does NOT add, remove or change any (relevant) headers, thus the
Apache signature is NOT a Pound artifact. Please check again your
configuration.
[...]

A quick look at the source would confirm that and you won't have to rely
on my word alone.
[...]

Long URLs are truncated (see MAXBUF in pound.h) - at worst the client
gets a 404. This has nothing to do with chunked transfers.

Chunked transfer encoding is passed to the back-end unchanged. How they
deal with it is not Pound's responsibility.

Can you cause some damage? I don't know, why don't you test, look at the
source and tell us? We're pretty quick at fixing problems and we'd be
happy if you could show us some vulnerability we are not aware of.[...]