Bug 1082903 (CVE-2013-5704) - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
Summary: CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-5704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20131019,reported=2...
Depends On: 1167159 1082908 1166709 1167158 1167817 1175781 1238189
Blocks: 1082909 1149710 1193283 1204223 1286624 1290842
TreeView+ depends on / blocked
 
Reported: 2014-04-01 04:48 UTC by Murray McAllister
Modified: 2019-08-15 03:48 UTC (History)
38 users (show)

Fixed In Version: httpd 2.2.29, httpd 2.4.11
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:32:18 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1972 normal SHIPPED_LIVE Low: httpd24-httpd security and bug fix update 2014-12-09 23:07:45 UTC
Red Hat Product Errata RHSA-2015:0325 normal SHIPPED_LIVE Low: httpd security, bug fix, and enhancement update 2015-03-05 11:59:16 UTC
Red Hat Product Errata RHSA-2015:1249 normal SHIPPED_LIVE Low: httpd security, bug fix, and enhancement update 2015-07-20 17:50:12 UTC
Red Hat Product Errata RHSA-2015:2659 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:20:00 UTC
Red Hat Product Errata RHSA-2015:2660 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:19:47 UTC
Red Hat Product Errata RHSA-2015:2661 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:19:41 UTC
Red Hat Product Errata RHSA-2016:0061 normal SHIPPED_LIVE Moderate: httpd and httpd22 security update 2016-01-21 20:54:46 UTC
Red Hat Product Errata RHSA-2016:0062 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.1.0 security update 2018-02-15 23:12:52 UTC

Description Murray McAllister 2014-04-01 04:48:38 UTC
Martin Holst Swende discovered a flaw in the way mod_headers handled chunked requests. A remote attacker could use this flaw to bypass intended mod_headers restrictions, allowing them to send requests to applications that include headers that should have been removed by mod_headers.

Discussion and a possible patch is available from the following thread:

http://marc.info/?t=138219209900002&r=1&w=2

References:

http://martin.swende.se/blog/HTTPChunked.html

Comment 1 Murray McAllister 2014-04-01 05:09:22 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1082908]

Comment 3 Joe Orton 2014-04-01 14:44:23 UTC
My position on this:

http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2

Comment 4 Huzaifa S. Sidhpurwala 2014-06-13 05:20:30 UTC
This could really be considered as a border line security case, perhaps even dismissed as a bug rather than a security flaw.

Applications should be careful about making authentication or authorization decisions based on a the presence or absence of a particular header in the HTTP request, as these headers can be easily crafted by malicious users. 

Presence of  mod_headers rules to filter these headers from the user request should not be considered as the only condition on which applications base these decisions.

The above being said, there is no upstream fix for this issue yet.

Comment 5 Huzaifa S. Sidhpurwala 2014-06-13 05:29:56 UTC
Statement:

This issue affects the versions of the httpd package as shipped with Red Hat JBoss Enterprise Application Platform 6; and Red Hat JBoss Web Server 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Certificate System does not use the mod_headers module, even when installed, and is thus not affected by this flaw.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Red Hat JBoss Enterprise Application Platform 5 and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 8 Micky Gough 2014-09-05 02:31:36 UTC
This has been patched upstream in Apache 2.2.28/2.2.29 released September 1. 

Changelog: http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES

Comment 12 Tomas Hoger 2014-11-24 12:24:19 UTC
Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1610814

Related commit that updated the documentation for the new MergeTrailers configuration directive introduced as part of the fix for this issue, and that can be used to restore old HTTP trailers handling behavior:

http://svn.apache.org/viewvc?view=revision&revision=1619821

Comment 14 Martin Prpič 2014-11-26 10:59:45 UTC
IssueDescription:

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.

Comment 15 errata-xmlrpc 2014-12-09 18:08:24 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7

Via RHSA-2014:1972 https://rhn.redhat.com/errata/RHSA-2014-1972.html

Comment 18 Fedora Update System 2015-02-28 10:22:40 UTC
httpd-2.4.10-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 errata-xmlrpc 2015-03-05 07:12:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0325 https://rhn.redhat.com/errata/RHSA-2015-0325.html

Comment 20 Fedora Update System 2015-03-16 01:41:27 UTC
httpd-2.4.10-15.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Kurt Seifried 2015-05-08 20:49:31 UTC
This does not affect certificate server as it does not use the unset directive.

Comment 29 errata-xmlrpc 2015-07-22 05:53:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1249 https://rhn.redhat.com/errata/RHSA-2015-1249.html

Comment 34 errata-xmlrpc 2015-12-16 18:21:10 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html

Comment 35 errata-xmlrpc 2015-12-16 18:21:53 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660

Comment 36 errata-xmlrpc 2015-12-16 18:22:34 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659

Comment 38 errata-xmlrpc 2016-01-21 15:55:58 UTC
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html

Comment 39 errata-xmlrpc 2016-01-21 15:58:30 UTC
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2016:0061 https://rhn.redhat.com/errata/RHSA-2016-0061.html


Note You need to log in before you can comment on or make changes to this bug.