SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#625878

Single crafted HTTP request may result in multiple responses

Overview

Some HTTP handling devices are vulnerable to a flaw which may allow a specially crafted request to elicit multiple responses, some of which may be controlled by the attacker. These attacks may result in cache poisoning, information leakage, cross-site scripting, and other outcomes.

I. Description

A flaw in handling HTTP requests that contain the "HTTP Request Smuggling" class of attacksHTTP Request Smuggling attacks involve injecting HTTP request(s) within other HTTP requests. Devices that handle HTTP data, such as web caches and proxy servers, may contribute to a class of attacks known as "HTTP Request Smuggling" attacks. HTTP Request Smuggling attacks occur when specially-crafted HTTP requests are inconsistently processed by multiple interconnected devices. In this manner the secondary request(s) may be "smuggled" through other devices without detection.

As a simple example, including multiple Content-Length headers into a single request may result in interconnected devices handling the request in a different manner. Given two Content-Length headers, partial request data may be processed on one device where another subsequent device (using the longer Content-Length header) may read more request data. This in turn changes the nature of the request and may result in cache poisoning or request hijacking.

HTTP Request Smuggling is outlined in depth in the Watchfire "HTTP Request Smuggling" whitepaper.

II. Impact

Multiple scenarios are possible depending on the devices in use and the strategies that are utilized by the attacker. These attacks may involve cache poisoning, request hijacking, protection bypass, and cross-site scripting.

III. Solution

Apply an update


Contact your vendor for information on updates, patches, and workarounds.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable14-Jun-2005
SquidVulnerable14-Jun-2005

References


http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
http://www.squid-cache.org/Advisories/SQUID-2005_4.txt
http://www.microsoft.com/technet/security/bulletin/MS05-034.mspx
http://docs.info.apple.com/article.html?artnum=306172

Credit

Thanks to Watchfire for providing information on this flaw.

This document was written by Ken MacInnis based primarily on information provided by Watchfire

Other Information

Date Public:2005-01-31
Date First Published:2005-02-04
Date Last Updated:2007-08-08
CERT Advisory: 
CVE-ID(s):CVE-2005-2090
NVD-ID(s):CVE-2005-2090
US-CERT Technical Alerts: 
Metric:7.50
Document Revision:61

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader