pound solution to CAN-2005-2088 - HTTP Response Splitting Attacks / FX <gentoo@sbcglobal.net>

/ Zope / Apsis / Pound Mailing List / Archive / 2005 / 2005-10 / pound solution to CAN-2005-2088 - HTTP Response Splitting Attacks

[ Simple security features in pound / FX ... ] [ When a backend server hangs up... / Martin PAPY ... ]

pound solution to CAN-2005-2088 - HTTP Response Splitting Attacks
FX <gentoo(at)sbcglobal.net>

2005-10-15 23:34:02

[ FULL ]

Perhaps pound can take the following  approach to this problem:

Apache 2.0.55 changelog:
...
  *) proxy HTTP: If a response contains both Transfer-Encoding and a
     Content-Length, remove the Content-Length and don't reuse the
     connection, mitigating some HTTP Response Splitting attacks.
     [Jeff Trawick]
...

For proxies, I think this will become the defacto standard way of 
dealing with this security risk.