Multiple interconnected devices process valid HTTP request headers inconsistently and in this may manner may allow a remote attacker to poison a cache, conduct cross-site scripting attacks, and hijack user sessions. Attackers may use these flaws to launch a class of attacks referred to as HTTP response splitting.
HTTP request headers contain parameters to describe an HTTP request, such as a request's size, type, source, and destination. Entities that handle HTTP data, such as web servers, web caches, and proxy servers, may not process HTTP requests in a consistent manner. A remote attacker may be able to leverage this inconsistency to force incorrect and possibly malicious data to be returned in response to a valid request.
By including multiple Content-length headers along with crafted, embedded carriage return-line feed (CRLF) pairs within the request data, the attacker may be able to send multiple requests through the web cache or browser cache in between the user and web server. The attacker is then able to control the content of the second response from the target in question, and can now perform the following attacks:
A remote unauthenticated attacker may be able to inject malicious content into a web or browser cache, to perform cross-site scripting attacks, to hijack user and session data, or to bypass content protection mechanisms. These flaws are platform independent.
Apply an update
Do not follow unsolicited links
Thanks to Watchfire for reporting this vulnerability.
This document was written by Ken MacInnis.
|Date First Published:||2005-02-04|
|Date Last Updated:||2007-03-05 15:50 UTC|