Red Hat Bugzilla – Bug 1082903
CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
Last modified: 2016-05-22 21:05:11 EDT
Martin Holst Swende discovered a flaw in the way mod_headers handled chunked requests. A remote attacker could use this flaw to bypass intended mod_headers restrictions, allowing them to send requests to applications that include headers that should have been removed by mod_headers. Discussion and a possible patch is available from the following thread: http://marc.info/?t=138219209900002&r=1&w=2 References: http://martin.swende.se/blog/HTTPChunked.html
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1082908]
My position on this: http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2
This could really be considered as a border line security case, perhaps even dismissed as a bug rather than a security flaw. Applications should be careful about making authentication or authorization decisions based on a the presence or absence of a particular header in the HTTP request, as these headers can be easily crafted by malicious users. Presence of mod_headers rules to filter these headers from the user request should not be considered as the only condition on which applications base these decisions. The above being said, there is no upstream fix for this issue yet.
Statement: This issue affects the versions of the httpd package as shipped with Red Hat JBoss Enterprise Application Platform 6; and Red Hat JBoss Web Server 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Certificate System does not use the mod_headers module, even when installed, and is thus not affected by this flaw. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Red Hat JBoss Enterprise Application Platform 5 and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
This has been patched upstream in Apache 2.2.28/2.2.29 released September 1. Changelog: http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES
Upstream commit: https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431#diff-381c180d963fb4507c77d80edb208224
Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1610814 Related commit that updated the documentation for the new MergeTrailers configuration directive introduced as part of the fix for this issue, and that can be used to restore old HTTP trailers handling behavior: http://svn.apache.org/viewvc?view=revision&revision=1619821
IssueDescription: A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:1972 https://rhn.redhat.com/errata/RHSA-2014-1972.html
httpd-2.4.10-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0325 https://rhn.redhat.com/errata/RHSA-2015-0325.html
httpd-2.4.10-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This does not affect certificate server as it does not use the unset directive.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1249 https://rhn.redhat.com/errata/RHSA-2015-1249.html
This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659
This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html
This issue has been addressed in the following products: JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 5 Via RHSA-2016:0061 https://rhn.redhat.com/errata/RHSA-2016-0061.html