Hi,
 
    Thank you for your reply.
 
Our servers are Fedora Core 4
Our back-end servers are Tomcat 5.5.9
 
    We've make two different security scan:
1/ pound in front of our tomcats
    Qualys detects a severe vulnerability "Apache Chunked-Encoding Memory Corruption Vulnerability" (see below)
 
2/ tomcats alone accepting direct traffic
    Qualys reports no vulnerabilities at all.
 
Some observations:
  1. It seems that tomcat 5.5.9 doesn't have the "Apache Chunked-Encoding Memory Corruption Vulnerability".
  2. It seems that pound is not so transparent to qualys scan.
According to your reply, we know that pound doesn't buffer the data.
I'm not understanding very well, in order to dispatch the http request to the back-end, pound must open it to macth it to a urlgroup.
What happen if my URL is very very very very very long? What happen if I use Chunked Transfer Coding? Can I cause some damage?
 
Thank you!!!
 
Best regards,
 
Patrice
 
 
 
----- Original Message -----
From: "Robert Segall" <roseg@apsis.ch>
To: <pound@apsis.ch>
Sent: Tuesday, September 20, 2005 12:35 PM
Subject: Re: [Pound Mailing List] pound and Apache Chunked-Encoding Memory Corruption Vulnerability

On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
<patrice.leonard@citobi.be> wrote:

> Hi,
>
>     We have pound in front of some tomcats. Qualys (www.qualys.com)
>     scan our servers to report us vulnerabilities.
>
> Here is the "Scan Vulnerabilities Report" we received:
>
>    Severity Analysis
>         5  Vulnerability:  Apache Chunked-Encoding Memory Corruption
>         Vulnerability
>             Qualys ID : 86352    CVE ID : CVE-2002-0392
>             Port : 80 
>             Diagnosis: 
>             Apache is a freely available Web server for Unix and Linux
>             variants, as well as Microsoft operating systems. Various
>             products, such as StrongHold, Oracle 9iAS and IBM
>             Websphere, use or bundle Apache.
>
>             The HTTP protocol specifies a method of data coding called
>             'Chunked Encoding', designed to facilitate fragmentation
>             of HTTP requests in transit. A vulnerability has been
>             discovered in the Apache implementation of 'Chunked
>             Encoding'. When processing requests coded with the
>             'Chunked Encoding' mechanism, Apache fails to properly
>             calculate required buffer sizes. This is due to improper
>             (signed) interpretation of an unsigned integer value.
>
>             On Windows and Netware platforms, Apache uses threads
>             within a single server process to handle concurrent
>             connections. Causing the server process to crash on these
>             platforms may result in a denial of service. The link
>             http://httpd.apache.org/info/security_bulletin_20020617.txt
>             provides additional information on this vulnerability for
>             Apache running on Windows.
>           
>             Consequences:  This vulnerability can be exploited by an
>             attacker to cause a Denial of Service and even execute
>             arbitrary code on the vulnerable machine.  Solution: 
>             This vulnerability has been fixed in Apache 1.3.26 and
>             Apache 2.0.37. Please upgrade to the latest version.
>
>             An efix (via APAR PQ62369) is available for IHS from the
>             IBM HTTP Server Downloads webpage.
>
>             A complete list of vendor status and fixes can be found in
>             CERT advisory CA-2002-17
>           
>             Result:  Detailed result listings are provided in the Free
>             7-day Trial  ^ back to top   
>     
>
>
>
> We don't have any apache running on our server, but qualys seems to
> detect an Apache Vulnerability.
>   a.. Is pound secured?

Yes, we believe it to be. Pound does not buffer the data at all - it
just passes the chunks as they arrive directly to the back-end.

>   b.. Can I make something to prevent qualys reporting a such
>   vulnerability?

No. Pound is transparent, so your scan really reports on the back-end
server. The scanner is not even aware that Pound sits in the middle, and
in fact it reports the server to be Apache!

>   c.. We believe in pound, but such reports could
>   prevent some company to use it. (It's a matter of trust between the
>   company and its customers)

So fix your back-end or, even better, educate your users about the true
values of these scans. Attempting to use or interpret scan results
without an understanding of the underlying problem is not very
productive.

>   d.. To test, you can make a qualys
>   freescan at this URL:
>   https://freescan.qualys.com/index.php?lsid=6302
> For us, pound is the best reverse-proxy solution we've seen, thank you
> to help us adopt it!!!

Glad you like it. Hopefully you'll help make it better.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

--
To unsubscribe send an email with subject 'unsubscribe' to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-09/1127207369000/1127212536000