PK13959: CAN-2005-2088, VULNERABILITY EXISTS IN IHS 1.3.X WHEN USED AS PROXY SERVER

APAR status
Closed as program error.

Error description
CAN-2005-2088 effects apache versions prior to 1.3.34 and also
effects IBM HTTP Server 1.3.26x and 1.3.28x releases if
the IBM HTTP Server is used as a proxy server.
-
Details of CAN-2005-2088
A vulnerability has been reported in Apache, which can be
exploited by malicious people to conduct HTTP request
smuggling attacks.
The vulnerability is caused due to an error in the handling of
malformed HTTP requests with both "Transfer-Encoding" and
"Content-Length" headers and can be exploited to cause
Apache to forward malicious HTTP requests in the HTTP
body, which will be processed as a separate HTTP requests
by the receiving server.
Successful exploitation allows poisoning of the web proxy
cache or bypass of certain web application firewall protections,
but requires that Apache is configured as a web proxy.
Local fix Problem summary
Handling of request from client and response
from origin server did not check for presence of both
Content-Length and Transfer-Encoding: Chunked header fields.
Thus, it could be passed to another entity with different rules
for interpretation than this web server.  The problem would not
affect IBM HTTP Server directly.  The actual impact depends on
the other entity.
Problem conclusion
When both Transfer-Encoding and Content-
Length are received from the client or the origin server, remove
the Content-Length field.  That ensures that the third entity
(origin-server or client) cannot interpret the request in a
different manner.  This is what prevents the request splitting/
spoofing attack from using this web server as an intermediate.
Temporary fix
Disable HTTP proxy in the configuration.
Comments
APAR information
APAR number PK13959
Reported component name APACHE HTTP SVR
Reported component ID 5648B7801
Reported release 326
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-10-24
Closed date 2005-10-24
Last modified date 2005-10-24

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
HTTPD PR OXY      

Publications Referenced

Fix information
Fixed component name APACHE HTTP SVR
Fixed component ID 5648B7801

Applicable component levels
R326 PSN    UP
R328 PSN    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Runtime
Operating system(s):
Software version: 326
Software edition:
Reference #: PK13959
IBM Group: Software Group
Modified date: Oct 24, 2005