Apache Request Smuggling Vulnerability Found 168
An anonymous reader writes "Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."
Fix-patch in 5...4...3... (Score:4, Insightful)
Anyway, it'll get a fix available likety-split. Go, OSS!
Re:Fix-patch in 5...4...3... (Score:2, Interesting)
Link [apache.org]
Re:Fix-patch in 5...4...3... (Score:2)
Re:Fix-patch in 5...4...3... (Score:4, Informative)
Re:Fix-patch in 5...4...3... (Score:5, Informative)
http://apache.org/docs/misc/FAQ.html#name [archive.org]">http:/
And then said this:
http://www.apache.org/docs/misc/FAQ.html#name [archive.org]">ht
Then they changed it to:
http://httpd.apache.org/docs/misc/FAQ.html#name [archive.org]">
Now they're trying to get rid of something they've perpetuated for years:
http://httpd.apache.org/docs/misc/FAQ.html#name [archive.org]">
and that seems to be the one that's remained until today. Who knows what it'll be tomorrow.
Re:Fix-patch in 5...4...3... (Score:2)
Re:Fix-patch in 5...4...3... (Score:2)
Re:Fix-patch in 5...4...3... (Score:5, Informative)
The bottom line is, according to archive.org, apache themselves claimed the "a patchy server" explanation on their own FAQ page from 1997 through Oct 2002.
Somewhere in there, they started tacking on an extra paragraph saying that to some developers, it also connoted the Indian meaning.
Somewhere between Oct 2003 and Feb 2003, they started calling the "a patchy server" explanation a myth, and saying the real explanation was the Indian thing.
Those of us who were around back when people used to run things like CERN httpd and NCSA httpd remember well that Apache was originally just a set of patches to fix/improve NCSA httpd, before it finally branched off into it's own seperate product. The "patch server" explanation fits the facts of the matter best.
Re:Fix-patch in 5...4...3... (Score:2)
In the beginning, there was... a patchy server (Score:2)
I don't know if a spin doctor is in charge, or
Not really maintaining... (Score:2)
I was helping maintain a couple of ports, doing tests and submitting patches. I wasn't a primary maintainer. Just to keep things straight!
Re:Fix-patch in 5...4...3... (Score:2)
Re:Fix-patch in 5...4...3... (Score:2)
So sez the Anonymous Coward. I take it you have never read 1984. Take a look around this thread for people who were in the community a decade ago and heard the "patchy" explanation when Apache came out. I guess, according to you, they are both liars AND deluded.
Re:Fix-patch in 5...4...3... (Score:2)
It's not "Native Americans" (Score:2)
It's not "Native Americans"; it's "Persons of Pre-Columbian American Immigrant Ancestry".
(Even that's not totally accurate, because it wasn't called "America" then.)
I was born in New Jersey, which makes me 100% "Native American", even though only some of my ancestors were here before Columbus came.
Calling someone "Native American" is as silly as calling someone "African American" (because all Americans (even Persons
Re:It's not "Native Americans" (Score:2)
Re:Fix-patch in 5...4...3... (Score:2)
LM: Who thought of the name Apache?
BB: I had some friends at a company called Enterprise Integration Technology, and somebody there asked me, "What would be your ideal Web server?" So I wrote about a bunch of stuff that I thought was missing from NCSA's server -- some stuff that still isn't in a lot of Web servers like revision control and stuff like that. I put it on a page and said: "I should come up with a name for this." The name literally came out of the blue. I wish I could say th
HTTP request smuggling (Score:5, Funny)
Re:HTTP request smuggling (Score:2)
So with all the potential jokes to be made, the best you could come up with was THAT political potshot? Smuggling around a wildly unpopular and wrongheaded ban on alcohol?
The anonymous coward who said "Arrrr" was funnier than you. That isn't even in the same room as funny.
And of all the reasons to dislike the Kennedies, that has to be SO far down on the list, so even the comment's political agenda isn't well-served.
Yeesh.
2.1.6 (Score:5, Informative)
Re:2.1.6 (Score:3, Informative)
Re:2.1.6 (Score:1)
good thing i don't have to upgrade
Re:2.1.6 (Score:2)
Re:2.1.6 (Score:2)
Last time I installed (a year or so ago) php still didn't work with apache 2, so I couldn't use it.
Re:2.1.6 (Score:2, Informative)
Last time I installed (a year or so ago) php still didn't work with apache 2, so I couldn't use it.
PHP has been working with Apache 2 for years. It's FUD that the PHP guys are spreading that it doesn't work with Apache 2.
It's unreliable with Apache 2's threaded MPMs, but it works fine with the (default) prefork MPM.
Apache Software Foundation member calling the PHP guys "just plain wrong" [drbacchus.com].
Re:2.1.6 (Score:3, Informative)
The no PHP on Apache2 FUD is just a meme that won't die, not the fault of the PHP folks.
Re:2.1.6 (Score:3, Informative)
Re:2.1.6 (Score:2)
Re:2.1.6 (Score:2, Funny)
Lame apache tribute:
http://www.adojji.org/adojji/ [adojji.org]
Re:2.1.6 (Score:2)
Not to say it's impossible, the HTTP request smuggling attack vector is real enough - the paper is interesting reading, see http://www.watchfire.com/resources/HTTP-Request-Sm uggling.pdf [watchfire.com]
Re:2.1.6 (Score:2)
If you're pretty sure you have no XSS vulnerabilities in your deployed applications, an
Re:2.1.6 (Score:5, Informative)
Partly, because it's actually a dupe... well disguised, though...
http://it.slashdot.org/article.pl?sid=05/06/12/14
Re:2.1.6 (Score:4, Informative)
Webmasters don't need to update anything, because there is no vulnerability from their perspective.
Request smuggling doesn't apply to a single web server, but rather to a combination proxy and web server that use a different method to determine how long a request is. In such an arrangement, an attacker could use smuggling to poison the proxy's cache or what have you, but the only customers who would be affected are others behind the same proxy.
Because this sort of attack is so limited in scope, the chances of any of us ever even hearing about an actual exploit are very slim. The only people who really need to worry are those who run proxy servers.
Re:2.1.6 (Score:2)
Only Apache 2.0.x, not 1.3.x (Score:3, Informative)
Re:Only Apache 2.0.x, not 1.3.x (Score:3, Funny)
Yes, in 1.3.x ... (Score:2)
http://www.apache.org/dist/httpd/Announcement.htm
Re:Only Apache 2.0.x, not 1.3.x (Score:2)
Yes. I code Servlets for a living. And I like it.
Re:Only Apache 2.0.x, not 1.3.x (Score:2)
Presently I don't have it online, as I've been in a steady job for 6 years and haven't had a need to update it. But you've just provided me with a good reminder that I really should touch it up and make it available.
It's been slashdotted, article text here: (Score:1, Informative)
Wait a sec.. (Score:5, Interesting)
2.0.x is very stable and production ready, but it doesn't have the same amount of years on its neck as 1.3.x - and thus doesn't have as widespread deployment.
2.1.x is alpha-quality, and it has the fix..
messed up priorities?
Re:Wait a sec.. (Score:2, Interesting)
Re:Wait a sec.. (Score:2)
Re:Wait a sec.. (Score:2, Insightful)
I think that the Debian [debian.org] folks may have an issue with this statement.
Re:Wait a sec.. (Score:3, Funny)
The latest stable version is often actually stale
Re:Wait a sec.. (Score:3, Funny)
Henceforth we'll label them "sta(b)le".
Re:Wait a sec.. (Score:2)
That depends. Wouldn't you rather know that the patch doesn't make YOUR website go down in flames before you patch your company's main webserver?
Therefore, the testing tree.
Re:Wait a sec.. (Score:3, Insightful)
For instance, we take a backup of the affected software before installing the new version.
In other words; yes, I'd rather have my company's webserver down for the minute or two it takes to restore the recently-made backup, instead of having to worry about whether or not someone is trying to compromise our web platform.
Maybe that's just me though?
Re:Wait a sec.. (Score:3, Informative)
That's only true on Windows, where for performace reasons all requests are served by one process - which is automatically restarted by a second moitoring process if it crashes.
On Unix, by default it uses the "prefork" MPM - multiple threads, single thread per process, just like 1.3. There are various multithreaded MPMs such as "worker", but you have to enable them manually
How long will OS X users have to wait? (Score:1)
Re:How long will OS X users have to wait? (Score:2)
Re:How long will OS X users have to wait? (Score:1)
why wait? (Score:2)
Re:How long will OS X users have to wait? (Score:2)
Where to get fix... (Score:5, Insightful)
Securityfocus article is here [securityfocus.com].
eh? (Score:5, Insightful)
Example:
Product A (web server) uses the FIRST content-length header.
Product B (application server) uses the LAST content-length header.
So you include two content-length headers, to slip by A and attack B.
Replace A and B with whatever proxying whatever setup you can think up.
So how does Apache by itself have this problem, and how can apache by itself SOLVE the problem?
Btw, this is a great example of why "be liberal in what you accept" is BS. You should reject all out-of-spec data.
Re:eh? (Score:4, Informative)
You're right in that request smuggling requires two entities. In this particular case, the two entities are:
1. Apache
2. An HTTP proxy, HTTP caching proxy, or HTTP-aware firewall
The reason the security flaw affects one product (Apache), is because the flaw does not require abnormal operation from the proxy, cache, or firewall.
Re:eh? (Score:2)
Apache, which interpretes things wrong.
Another product that interprets things correctly.
Despite there being two products, it should be obvious why Apache is the one at fault and the only one that needs fixing.
Re:eh? (Score:2)
Any software that can act as an HTTP proxy can solve the problem by refusing to pass on any content-length-related headers (or other cues) that it does not use.
Bug was found (Score:5, Funny)
by noticing the apache servers were being forced further and further west
Re:Bug was found (Score:2)
Another Dupe (Score:5, Informative)
This seems to be a duplicate of the June 12 article on HTTP Request Smuggling [slashdot.org]. I don't see anything new here, as the original paper [watchfire.com] also talks about Apache being susceptible to this relatively minor (yet still interesting) issue.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. [insecure.org]
Re:Another Dupe (Score:3, Interesting)
only affects certain setups (Score:5, Informative)
The attack basically makes the cache think you're requesting one page, but it passes a different request to Apache.
So unless you have some service between your web server and the public, this vulnerability doesn't seem to affect you.
To wit: you ask the cache for Page A with a GET for Page B buried in the header. The cache finds that Page A has expired, and passes your request to Apache. Apache instead serves up Page B, the Cache then sticks Page B's data into Page A's cache.
Re:only affects certain setups (Score:2)
You mean like any caching server the public may be using? Like proxies at firewalls to cut out porn and such? So suddenly all my web pages in their cache are screwed up?
That affects me.
There goes my weekend! (Score:2)
BBH
Re:There goes my weekend! (Score:2)
Re:Maybe you should stop making your life difficul (Score:2)
Mainly because Cingular Blue(attws), Cingular Orange, Nextel, Boost, Dobson, Triton, Tais Toshiba, and Alltel all have different backends. There is some consolidation (70 Cingular boxes are identical, 50 nextel boxes are identical, etc) but overall, I'm looking at about 10-15 different installations and a handful of custom modules that are not ABI compatible from version to version. On a scale of one to clusterfuck
You're not making any sense now. (Score:2)
All you need to do is recompile your httpd binary for each OS that doesn't provide apache binaries, and push it out to each server running that OS. Its really not that big a deal, unless you do every machine by hand or something. If you spend a whole weekend on this, t
If you want to be secure... (Score:3, Informative)
This is the second major problem in the last several weeks that leaves all the "managed server" users out there very vulnerable. (The first being the XML-RPC problem with php) Most of the managed servers out there run Apache off of an RPM compatible with their manager of choice (Plesk, cPanel, etc.). And a lot of the companies out there will make you pay extra to update your server or even wait until RH or Plesk distributes a new RPM.
I think it's going to become apparent to a lot of people very quickly that it's worth the money to pay for a managed server from a quality company that provides real support rather than the $99/month for a server and a gig of bandwidth shops that will leave your servers wide open to these vulnerabilities.
Re:If you want to be secure... (Score:1)
The problem wasn't with PHP, but with the way some popular PHP scripts used the XML-RPC functionality.
Re:If you want to be secure... (Score:2)
Re:If you want to be secure... (Score:2)
Eh? $99 gets you full root access on a dedicated server...you can upgrade what you like when you like. I don't see the problem. Of course, if you pay $99 for a deal where someone else maintains the sof
Re:If you want to be secure... (Score:2, Interesting)
You said it yourself: you CAN upgrade what you like and when you like... which is "nothing" and "never" for most people who don't want to spend the time and effort required to react quickly to vulnerabilities as they are discovered.
How is this news? (Score:1)
.. so this is an apache vulnerability now. (Score:5, Insightful)
Sure, this effects Apache, but this also effects just about all web servers where the request is first filtered through a cache or proxy...
What we don't need is people running around like headless chickens screaming 'omg dat aprache server got r00ted.. wher3s the sploit!' as 90% of Apache servers on the internet will be completely uneffected by it.
It seems the poster didn't read the (very intresting) Watchfire paper before submitting. And editors... do your job, otherwise you'll soon be replaced by monkeys trained to click the 'Accept Article' button all day.
Re:.. so this is an apache vulnerability now. (Score:1, Funny)
So now it's a feature and not a bug?
Re:.. so this is an apache vulnerability now. (Score:2, Funny)
And editors... do your job, otherwise you'll soon be replaced by monkeys trained to click the 'Accept Article' button all day.
I thought that replacement has already happened quite sometime back.
Re:.. so this is an apache vulnerability now. (Score:2)
Actually, that wouldn't work so well for the OSTG or whatever group Slashdot is part of. The humans must be there to accept monetary bribes for the slashvertisements. Trained monkeys would probaby just accept fruit.
Re:.. so this is an apache vulnerability now. (Score:2)
What, that hasn't happened yet? :)
Re:.. so this is an apache vulnerability now. (Score:2)
Parent should read:
"Sure, this affects Apache,...be completely unaffected by it."
It is true that both affect and effect can be used as both a verb and a noun. However, in common usage, 99% of the time you're looking for affect as a verb, and effect as a noun.
Why not? (Score:2)
Isn't this what slashbot does when a Microsoft vulnerability comes out?
Hmm... Seems to me like you want to hide problems in the open source community, rather than be open and transparent about it.
Apache Vulnerability? (Score:3, Interesting)
Or am I completely misunderstanding what's going on?
Re:Apache Vulnerability? (Score:2)
Story & comments are all WRONG (Score:5, Informative)
Second, it is not a major security issue for most users.
It can only be useful if you are running mod_proxy. And even then, it just allows unfiltered requests to the backend. Most people don't even use mod_proxy. If you do, this could have bad implications, but someone still needs to eploit your backend server. It doesn't give anyone a shell or anything like that.
2.1.6-alpha was released with a fix. 2.0.55 should be coming out very shortly.
Wow is the slash article wildly inaccurate! (Score:5, Informative)
I recently released an internal advisory on this from reading TFA [watchfire.com]. Folks, the sky is not falling. 99% of consumers out there will not be affected. People behind NATing firewalls will not have issue. People behind proxies (Squid to name one), and proxying firewalls (Checkpoint, Symantec, etc) will be the ones "vulnerable" to this "attack".
The deal is this:
Proxy A uses Content-Length: header #1, and Webserver A uses Content-Length: header #1 == no problem, no vulnerability.
Proxy A uses Content-Length: header #1, and Webserver B uses Content-Length: header #2 == problem.
That is how it's done. TFA says this may be used to bypass intrusion detection systems. Sure, if you don't have defence in depth. Otherwise you're fine.
Re:Wow is the slash article wildly inaccurate! (Score:2)
Also note that the vulnerability is in the Apache proxy, not the Apache web server.
Important to note that IIS is as bad or worse (Score:3, Informative)
How is it dangerous? (Score:4, Informative)
To affect someone directly, the client browser would have to be compromised to send doctored HTTP requests. If this happens to you, you're already 0wn0red, this little trick might at worst add insult to injury
But imagine this: luser.isp.net connects daily to bank.com through proxy.isp.net
evil.isp.net has tapped into the same LAN as Luser. evil.isp.net sends a doctored request to secure http://bank.com/login.php [bank.com] with exploit-redirection to insecure http://bank.com/demo.html [bank.com], through proxy.isp.net
From now on, proxy.isp.net will serve demo.html to anyone who wants to access login.php. So luser happily types his real password and login into demo submit form (not looking at the lock icon) and happily clicks "submit", while evil.isp.net just sniffs the LAN and captures unencrypted POST request containing real password and login.
That's about as far as it goes. You can't do much if bank.com has DEMO with wide letters across the demo page. You can't redirect to offsite pages, and generally your possiblities are low...
Re:How is it dangerous? (Score:2)
Re:How is it dangerous? (Score:2)
The Cross Site Scripting FAQ (Score:2, Informative)
www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com]
Vulnerability in Apache PROXY, NOT Apache SERVER (Score:4, Informative)
1. This vulnerability is in the Apache web proxy version 2.x.
2. This vulnerability does NOT affect the Apache web server, unless an Apache web proxy is running infront of it.
3. The vulnerability is discussed on page 12 of the whitepaper. The rest of the whitepaper is about other similar vulnerabilities in other software.
I read the whitepaper in detail because I have written an HTTP server and wanted to know if I am vulnerable to this attack. The paper actually describes a very large number of attacks, most of which have to do with bugs in old web servers and proxies (not even Apache). Most of the people I see posting here, including those who claim they read the article, are clueless, as they did not read through the whole paper to find the one page related to Apache.
Well, it turns out that this bug is NOT in the Apache server. It is in the Apache web proxy. So, if you use an Apache web proxy infront of your server (regardless of what actual server software you use), you are vulnerable. Also, if you have clients who use an Apache proxy on their end, they are vulnerable. Server administrators should only worry about the former case, obviously.
Yes, a lot of people run caching proxies infront of their own web server, such that every single request to the server -- from all clients -- goes through the proxy. This is often done for performance with dynamically-generated web sites. If you have not heard of this type of setup, then you clearly don't have one, and you can ignore this vulnerability.
The following claims, made in other posts, are FALSE:
- "It's an HTTP vulnerability, not Apache specifically" (Wrong. The Apache proxy clearly mis-handles requests with a Transfer-Encoding header.)
- "To affect someone directly, the client browser would have to be compromised to send doctored HTTP requests." (Wrong. The paper is about using malformed requests to damage a server. The client would send such requests intentionally, in order to cause such damage.)
- This entire post. [slashdot.org] (The guy only read the first vulnerability described in the paper, not the Apache-specific one.)
- "Sure, this effects Apache, but this also effects just about all web servers where the request is first filtered through a cache or proxy..." (No, only ones filtered through an Apache proxy.)
HTTP Request Smuggling (Score:2, Informative)
- HTTPS is not affected
The white paper, while seemingly complete and well written, mentions this almost in passing near the end of the document. That may cause many readers, if they simply skim the paper, to miss this critical point. Further, it discounts using HTTPS as "...an impractical solution".
If security is engineered into your site from the beginning, there's nothing at all imp
Re:Damn, now I have to wait for longhorn. (Score:1)
Following this thought line, they could as well rename it Windows Heisenberg. Uncertainty Server would do, also.
Yes, I know, off topic. Sorry, couldn't resist.
Re:Damn, now I have to wait for longhorn. (Score:5, Funny)
Re:Damn, now I have to wait for longhorn. (Score:2)
Re:yet another (Score:1, Offtopic)
1) Yeah!
2) not good not good
3) After all, it is Apache server. Anyway, it'll get a fix available likety-split. Go, OSS!
Now I could see if this post said yeah, or good or server in the post but I'm just not getting the redundant mod anymore.
~S
Re:yet another (Score:2)
However, this is hardly a problem for anyone. It only affects users of mod_proxy, and then it only allows another request to the backend, which is to say your backend would need to have some other vulnerability in it to do anything useful.
*I shamelessly stole this analysis from chipig on #gentoo-apache, who's an apache herd member.
Re:Linux folks (Score:2)