Red Hat Bugzilla – Bug 162244
CAN-2005-2088 httpd proxy request smuggling
Last modified: 2007-11-30 17:07:18 EST
When using apache as a proxy, it is vulnerable to request smuggling.
(taken from bugtraq)
> "We describe a new web entity attack technique ï¿½ ï¿½HTTP Request
> Smugglingï¿½. The attack technique and the derived attacks are relevant
> to most web environments and is the result of a HTTP server or
> deviceï¿½s failure to properly handle malformed inbound HTTP requests.
> HTTP Request Smuggling works by taking advantage of the discrepancies
> in parsing when one or more HTTP devices/entities (e.g. Cache Server,
> Proxy Server, Web Application Firewall, etc.) are in the data flow
> between the user and the web server. HTTP Request Smuggling enables
> various attacks ï¿½ web cache poisoning, session hijacking, cross-site
> scripting and most serious the ability to bypass web application
> firewall protection.
This issue also affects RHEL3
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.