Bug 95709 - (CVE-2005-2088) VUL-0: CVE-2005-2088: apache2 request smuggling?
VUL-0: CVE-2005-2088: apache2 request smuggling?
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other All
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2005-1268: CVSS v2 Base Score: 5....
Depends on:
  Show dependency treegraph
Reported: 2005-07-08 11:43 UTC by Marcus Meissner
Modified: 2016-09-09 11:16 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

HTTP-Request-Smuggling.pdf (169.93 KB, application/pdf)
2005-07-08 11:43 UTC, Marcus Meissner
httpd-2.0.52-CAN-2005-2088.patch (1.17 KB, patch)
2005-07-11 06:42 UTC, Ludwig Nussel
Details | Diff
fix in 1.3 branch (6.78 KB, text/plain)
2005-08-04 09:19 UTC, Peter Poeml
patch from svn (3.55 KB, patch)
2005-08-04 10:50 UTC, Peter Poeml
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2005-07-08 11:43:13 UTC
http://www.whitedust.net/speaks/825/Apache Request Smuggling Vulnerability/ 
ThinkGeek T-Shirts will make you cool! 
All versions of Apache previous to 2.1.6 are vulnerable to a HTTP request 
smuggling attack which can allow malicious piggybacking of false HTTP requests 
hidden within valid content. This method of HTTP Request Smuggling was first 
discussed by Watchfire some time ago. The issue has been addressed by an 
update to version 2.1.6. 
Editorial Comment: 
The vulnerability involves a crafted request with a 'Transfer-Encoding: 
chunked' header and a 'Content-Length' can cause Apache to forward a modified 
request with the original 'Content-Length' header. The malicious request may 
then piggyback with the valid HTTP request possibly resulting in cache 
poisoning, cross-site scripting, session hijacking and other various kinds of 
attack. This vulnerability has resurfaced due to vendor confirmation, the 
original Watchfire Whitepaper on HTTP Request Smuggling is here.  
 addict3d reports that mostly all Apache 2.0.x versions, on the major 
platforms, are vulnerable to this attack. Apache has promptly released a 2.1.6 
version of their HTTP software to address this issue.
Comment 1 Marcus Meissner 2005-07-08 11:43:47 UTC
Created attachment 41427 [details]

Comment 2 Marcus Meissner 2005-07-08 11:44:06 UTC
is this for real, peter? 
Comment 3 Peter Poeml 2005-07-08 12:54:01 UTC
Yes. It is now CAN-2005-2088.

The original reference was

It was fixed already in the 2.1 development branch, and became public
with the release of the alpha package. A fix for 2.0 is already in CVS.
2.0.55 is expected to be released soon.

1.3 is not affected, as some people have claimed.
Comment 4 Peter Poeml 2005-07-08 13:24:07 UTC
I have to correct myself, there is no fix yet in the 2.0.x branch.
Comment 5 Ludwig Nussel 2005-07-11 06:41:43 UTC
Date: Fri, 8 Jul 2005 19:26:26 +0100                                                                                      
From: Joe Orton <jorton@redhat.com>                                                                                       
To: vendor-sec@lst.de                                                                                                     
Subject: Re: [vendor-sec] Apache vulnerabilities                                                                          
To confirm, the CAN-2005-1268 fix is:  
  *) SECURITY: CAN-2005-1268 (cve.mitre.org)  
     mod_ssl: Fix off-by-one overflow whilst printing CRL information  
     at "LogLevel debug" which could be triggered if configured  
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]  
patch via: http://svn.apache.org/viewcvs.cgi?rev=189562&view=rev  
The complete fix for CAN-2005-2088 used upstream is these two patches:  
the latter has not been approved for backport to the 2.0.x branch yet.  
The former is quite risky; there's a simpler alternative, attached the  
complete patch we're using.  
Neither CAN-2005-2088 nor CAN-2005-1268 affect Apache 1.3.  
Comment 6 Ludwig Nussel 2005-07-11 06:42:14 UTC
Created attachment 41538 [details]
Comment 7 Marcus Meissner 2005-07-11 08:03:55 UTC
swampid: 1767 
Comment 8 Peter Poeml 2005-07-12 22:30:26 UTC
apache.org had a DoS problem all day, viewcvs has been down and
subversion access flaky; but I found the patch on the commit list.

I submitted packages with fixes for both CAN-2005-2088+CAN-2005-1268 for
STABLE as well as:
/work/SRC/old-versions/8.2/all/apache2 -> /work/src/done/8.2
/work/SRC/old-versions/9.0/all/apache2 -> /work/src/done/9.0
/work/SRC/old-versions/9.1/BETA/all/apache2 -> /work/src/done/9.1
/work/SRC/old-versions/9.2/all/apache2 -> /work/src/done/9.2
/work/SRC/old-versions/9.3/all/apache2 -> /work/src/done/9.3

(Of the two apache2 packages in 9.1/SLES and 9.1/BETA, the latter is the
newer one, since the SP2 merge has not taken place. Hence it is taken
from there.)
Comment 9 Peter Poeml 2005-07-13 15:17:39 UTC
assigning to security-team for further processing.
Comment 10 Ludwig Nussel 2005-07-18 14:53:28 UTC
The following subpackages where updated in 8.2-9.1 previously: 
Which ones are needed for the current update in 9.2 and 9.3? only apache2 
Comment 11 Peter Poeml 2005-07-18 14:58:27 UTC
For CAN-2005-2088: apache2-prefork, apache2-worker, apache2-leader, apache2-metuxmpm
For CAN-2005-1268: the apache2 package.
Comment 12 Peter Poeml 2005-07-18 15:57:06 UTC
in the past, I have added all subpackages to the patchinfos. Problem is
that the list differes between release. I always used the skeletons
here: ~poeml/tmp/patchinfos-apache2
Comment 13 Ludwig Nussel 2005-07-19 07:03:51 UTC
There is no need to include unaffected subpackages, saves bandwidth. So for  
9.2 and 9.3 it's apache2,apache2-prefork,apache2-worker  
Comment 14 Ludwig Nussel 2005-07-27 07:32:13 UTC
updates released 
Comment 15 Ludwig Nussel 2005-08-04 07:56:15 UTC
Mandrake has issued an update for CAN-2005-2088 for apache 1.3! 
Comment 16 Peter Poeml 2005-08-04 09:18:31 UTC
Comment 17 Peter Poeml 2005-08-04 09:19:30 UTC
Created attachment 44777 [details]
fix in 1.3 branch
Comment 18 Peter Poeml 2005-08-04 09:20:43 UTC
Date: Tue, 19 Jul 2005 16:36:13 -0500
To: dev@httpd.apache.org
From: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
Subject: Re: [patch 1.3] The http_protocol.c C-L + T-E patch
Cc: dev@httpd.apache.org
X-Spam-Status: No, hits=0.0 tagged_above=-20.0 required=5.0 tests=BAYES_50

At 04:11 PM 7/19/2005, Joe Orton wrote:
>On Tue, Jul 19, 2005 at 02:59:14PM -0500, William Rowe wrote:
>> Paul?  Joe?  Jeff?  Someone?
>> This is the only showstopper to a 1.3.34 candidate today,
>> since 1.3.x/src/modules/proxy/mod_proxy.c rejects T-E
>> for proxy request bodies.
>Since the 1.3 proxy already rejects such requests what does this patch
>actually fix?



shall I keep digging?


Comment 19 Peter Poeml 2005-08-04 10:50:43 UTC
Created attachment 44785 [details]
patch from svn
Comment 20 Peter Poeml 2005-08-04 10:54:12 UTC
Note to self: 62859 (buffer overflow htpasswd.c) ought to be fixed
together with this one
Comment 21 Peter Poeml 2005-08-10 12:02:00 UTC
I submitted these fixed packages:

/work/SRC/old-versions/8.1/UL/all/apache -> /work/src/done/SLES8
/work/SRC/old-versions/9.0/all/apache -> /work/src/done/9.0
/work/SRC/old-versions/9.1/SLES/all/apache -> /work/src/done/9.1


- security fix [CAN-2005-2088 (cve.mitre.org)]: core: If a request
  contains both Transfer-Encoding and a Content-Length, remove the
  Content-Length, stopping some HTTP Request smuggling attacks. [#95709]
- htpasswd security fixes (patches from openbsd): - use strncpy and
  friends [#62859] - use mkstemp instead of tempnam

The 9.1/sles9 package contains an additional fix -- see bug 83771:

- move the start of the %build section before running the mod_ssl
  configure script, so the variable ENABLE_MOD_SSL is set in the
  same environment where it is used. This adds engine support to
  mod_ssl again, by compiling with experimental engine support by
  configuring apache with --enable-rule=SSL_EXPERIMENTAL. [#83771]

Sorry about the inconvenience this addition causes for assembling the
patchinfo files.

Reassigning to security team for further processing.
Comment 22 Marcus Meissner 2005-08-15 15:54:55 UTC
released apache1 updates now. 
Comment 23 Marcus Meissner 2005-08-15 16:09:55 UTC
will write advisory tomorrow 
Comment 24 Marcus Meissner 2005-08-16 12:18:51 UTC
adv released  
Comment 25 Thomas Biege 2009-10-13 21:31:39 UTC
CVE-2005-1268: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)