Red Hat Bugzilla – Bug 162245
CAN-2005-2088 httpd proxy request smuggling
Last modified: 2007-11-30 17:11:09 EST
+++ This bug was initially created as a clone of Bug #162244 +++
When using apache as a proxy, it is vulnerable to request smuggling.
(taken from bugtraq)
> "We describe a new web entity attack technique ï¿½ ï¿½HTTP Request
> Smugglingï¿½. The attack technique and the derived attacks are relevant
> to most web environments and is the result of a HTTP server or
> deviceï¿½s failure to properly handle malformed inbound HTTP requests.
> HTTP Request Smuggling works by taking advantage of the discrepancies
> in parsing when one or more HTTP devices/entities (e.g. Cache Server,
> Proxy Server, Web Application Firewall, etc.) are in the data flow
> between the user and the web server. HTTP Request Smuggling enables
> various attacks ï¿½ web cache poisoning, session hijacking, cross-site
> scripting and most serious the ability to bypass web application
> firewall protection.
This issue also affects FC3
Fixed in FEDORA-2005-638, FEDORA-2005-639: