Novell Home

My Favorites

Close

Please to see your favorites.

Potential Security Vulnerability with Apache 2.15 and earlier

This document (3222109) is provided subject to the disclaimer at the end of this document.

Environment

NetWare 6.5
SuSe Linux Enterprise Server 9

Situation

Potential Security Vulnerability with Apache 2.15 and earlier
Apache is prone to an HTTP request smuggling attack.

Resolution

The NetWare fix for this problem should be included in the NetWare 6.5 Support Pack 6 build when it becomes available.

On SLES 9 More information about the fix may be found at:

http://www.linuxcompatible.org/SUSE_Security_Summary_Report_SUSE-SR2005018_s52004.html


Additional Information

Here is the text from the security vulnerability: A specially crafted request with a 'Transfer-Encoding: chunked' header and a'Content-Length' can cause the server to forward a reassembled request with the original 'Content-Length' header. Due to this, the malicious request may piggyback with the valid HTTP request.

It is possible that this attack may result in cache poisoning, cross-site scripting, session hijacking and other attacks.

This issue was originally described in CAN-2005-2088 (Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities). Due to the availability of more details and vendor confirmation, it is being assigned a new BID.
Note this defect has been resolved in an upcoming release of Apache for NetWare. Further information about this defect indicates the following:

The Apache Project has already submitted a fix for this issue that will be released in version 2.0.55 of the httpd web server. The ASF's policy toward vulnerabilities is that they try to patch and release an update even before the vulnerability has been announced. The fact that a patch as been committed to the 2.0.55-dev code base and the ASF seems to not be in a hurry to release 2.0.55, indicates that this vulnerability is very minor.


Formerly known as TID# 10098469

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:3222109
  • Creation Date:21-NOV-06
  • Modified Date:27-APR-12
    • NovellNetWare
    • SUSESUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback