PK13959: CAN-2005-2088, VULNERABILITY EXISTS IN IHS 1.3.X WHEN USED AS PROXY SERVER | |||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||
APAR status Closed as program error. Error description CAN-2005-2088 effects apache versions prior to 1.3.34 and also effects IBM HTTP Server 1.3.26x and 1.3.28x releases if the IBM HTTP Server is used as a proxy server. - Details of CAN-2005-2088 A vulnerability has been reported in Apache, which can be exploited by malicious people to conduct HTTP request smuggling attacks. The vulnerability is caused due to an error in the handling of malformed HTTP requests with both "Transfer-Encoding" and "Content-Length" headers and can be exploited to cause Apache to forward malicious HTTP requests in the HTTP body, which will be processed as a separate HTTP requests by the receiving server. Successful exploitation allows poisoning of the web proxy cache or bypass of certain web application firewall protections, but requires that Apache is configured as a web proxy.Local fix Problem summary Handling of request from client and response from origin server did not check for presence of both Content-Length and Transfer-Encoding: Chunked header fields. Thus, it could be passed to another entity with different rules for interpretation than this web server. The problem would not affect IBM HTTP Server directly. The actual impact depends on the other entity.Problem conclusion When both Transfer-Encoding and Content- Length are received from the client or the origin server, remove the Content-Length field. That ensures that the third entity (origin-server or client) cannot interpret the request in a different manner. This is what prevents the request splitting/ spoofing attack from using this web server as an intermediate.Temporary fix Disable HTTP proxy in the configuration.Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > IBM HTTP Server >
Runtime
Operating system(s):
Software version: 326
Software edition:
Reference #: PK13959
IBM Group: Software Group
Modified date: Oct 24, 2005
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.