Apache HTTP server vulnerability
Discussion
Apache is prone to an HTTP request smuggling attack. A specially crafted request with a ‘Transfer-Encoding: chunked’ header and a ‘Content-Length’ can cause the server to forward a reassembled request with the original ‘Content-Length’ header. Due to this, the malicious request may piggyback with the valid HTTP request. It is possible that this attack may result in cache poisoning, cross-site scripting, session hijacking and other attacks. This issue was originally described in BID 13873 (Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities). Due to the availability of more details and vendor confirmation, it is being assigned a new BID.
Exploit
No exploit is required. Demonstration proof of concepts are available in the referenced Watchfire paper ‘HTTP Request Smuggling’.
Solution
The vendor has released Apache 2.1.6 to address this issue in the 2.1.x branch. A fix for the 2.0 branch is also available in the Apache SVN repository.