Bugzilla – Bug 95709
VUL-0: CVE-2005-2088: apache2 request smuggling?
Last modified: 2016-09-09 11:16:49 UTC
http://www.whitedust.net/speaks/825/Apache Request Smuggling Vulnerability/ reports: ThinkGeek T-Shirts will make you cool! Extract: All versions of Apache previous to 2.1.6 are vulnerable to a HTTP request smuggling attack which can allow malicious piggybacking of false HTTP requests hidden within valid content. This method of HTTP Request Smuggling was first discussed by Watchfire some time ago. The issue has been addressed by an update to version 2.1.6. Editorial Comment: The vulnerability involves a crafted request with a 'Transfer-Encoding: chunked' header and a 'Content-Length' can cause Apache to forward a modified request with the original 'Content-Length' header. The malicious request may then piggyback with the valid HTTP request possibly resulting in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This vulnerability has resurfaced due to vendor confirmation, the original Watchfire Whitepaper on HTTP Request Smuggling is here. addict3d reports that mostly all Apache 2.0.x versions, on the major platforms, are vulnerable to this attack. Apache has promptly released a 2.1.6 version of their HTTP software to address this issue.
Created attachment 41427 [details] HTTP-Request-Smuggling.pdf paperthingie
is this for real, peter?
Yes. It is now CAN-2005-2088. The original reference was http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf. It was fixed already in the 2.1 development branch, and became public with the release of the alpha package. A fix for 2.0 is already in CVS. 2.0.55 is expected to be released soon. 1.3 is not affected, as some people have claimed.
I have to correct myself, there is no fix yet in the 2.0.x branch.
Date: Fri, 8 Jul 2005 19:26:26 +0100 From: Joe Orton <jorton@redhat.com> To: vendor-sec@lst.de Subject: Re: [vendor-sec] Apache vulnerabilities To confirm, the CAN-2005-1268 fix is: *) SECURITY: CAN-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>] patch via: http://svn.apache.org/viewcvs.cgi?rev=189562&view=rev The complete fix for CAN-2005-2088 used upstream is these two patches: http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c?rev=171205&r1=151405&r2=171205 http://people.apache.org/~jorton/ap_tevscl.diff the latter has not been approved for backport to the 2.0.x branch yet. The former is quite risky; there's a simpler alternative, attached the complete patch we're using. Neither CAN-2005-2088 nor CAN-2005-1268 affect Apache 1.3. joe
Created attachment 41538 [details] httpd-2.0.52-CAN-2005-2088.patch
swampid: 1767
apache.org had a DoS problem all day, viewcvs has been down and subversion access flaky; but I found the patch on the commit list. I submitted packages with fixes for both CAN-2005-2088+CAN-2005-1268 for STABLE as well as: /work/SRC/old-versions/8.2/all/apache2 -> /work/src/done/8.2 /work/SRC/old-versions/9.0/all/apache2 -> /work/src/done/9.0 /work/SRC/old-versions/9.1/BETA/all/apache2 -> /work/src/done/9.1 /work/SRC/old-versions/9.2/all/apache2 -> /work/src/done/9.2 /work/SRC/old-versions/9.3/all/apache2 -> /work/src/done/9.3 (Of the two apache2 packages in 9.1/SLES and 9.1/BETA, the latter is the newer one, since the SP2 merge has not taken place. Hence it is taken from there.)
assigning to security-team for further processing.
The following subpackages where updated in 8.2-9.1 previously: 8.2: apache2,apache2-prefork,apache2-worker,apache2-leader,apache2-devel,apache2-doc,apache2-example-pages,libapr0 9.0: apache2,apache2-prefork,apache2-worker,apache2-leader,apache2-metuxmpm,apache2-devel,apache2-doc,apache2-example-pages,libapr0 9.1: apache2,apache2-prefork,apache2-worker,apache2-devel,apache2-doc,apache2-example-pages,libapr0 sles9: apache2,apache2-devel,apache2-doc,apache2-example-pages,apache2-prefork,apache2-worker,libapr0 Which ones are needed for the current update in 9.2 and 9.3? only apache2 itself?
For CAN-2005-2088: apache2-prefork, apache2-worker, apache2-leader, apache2-metuxmpm For CAN-2005-1268: the apache2 package.
in the past, I have added all subpackages to the patchinfos. Problem is that the list differes between release. I always used the skeletons here: ~poeml/tmp/patchinfos-apache2
There is no need to include unaffected subpackages, saves bandwidth. So for 9.2 and 9.3 it's apache2,apache2-prefork,apache2-worker
updates released
Mandrake has issued an update for CAN-2005-2088 for apache 1.3!
Looking
Created attachment 44777 [details] fix in 1.3 branch
Date: Tue, 19 Jul 2005 16:36:13 -0500 To: dev@httpd.apache.org From: "William A. Rowe, Jr." <wrowe@rowe-clan.net> Subject: Re: [patch 1.3] The http_protocol.c C-L + T-E patch Cc: dev@httpd.apache.org X-Spam-Status: No, hits=0.0 tagged_above=-20.0 required=5.0 tests=BAYES_50 At 04:11 PM 7/19/2005, Joe Orton wrote: >On Tue, Jul 19, 2005 at 02:59:14PM -0500, William Rowe wrote: >> Paul? Joe? Jeff? Someone? >> >> This is the only showstopper to a 1.3.34 candidate today, >> since 1.3.x/src/modules/proxy/mod_proxy.c rejects T-E >> for proxy request bodies. > >Since the 1.3 proxy already rejects such requests what does this patch >actually fix? Hmmm... mod_isapi? mod_php? mod_cgi? mod_jk? shall I keep digging? Bill
Created attachment 44785 [details] patch from svn
Note to self: 62859 (buffer overflow htpasswd.c) ought to be fixed together with this one
I submitted these fixed packages: /work/SRC/old-versions/8.1/UL/all/apache -> /work/src/done/SLES8 /work/SRC/old-versions/9.0/all/apache -> /work/src/done/9.0 /work/SRC/old-versions/9.1/SLES/all/apache -> /work/src/done/9.1 Changelog: - security fix [CAN-2005-2088 (cve.mitre.org)]: core: If a request contains both Transfer-Encoding and a Content-Length, remove the Content-Length, stopping some HTTP Request smuggling attacks. [#95709] - htpasswd security fixes (patches from openbsd): - use strncpy and friends [#62859] - use mkstemp instead of tempnam The 9.1/sles9 package contains an additional fix -- see bug 83771: - move the start of the %build section before running the mod_ssl configure script, so the variable ENABLE_MOD_SSL is set in the same environment where it is used. This adds engine support to mod_ssl again, by compiling with experimental engine support by configuring apache with --enable-rule=SSL_EXPERIMENTAL. [#83771] Sorry about the inconvenience this addition causes for assembling the patchinfo files. Reassigning to security team for further processing.
released apache1 updates now.
will write advisory tomorrow
adv released
CVE-2005-1268: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)