[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache 2.0.54 exploit

From: Molle Bestefich <molle.bestefich_at_gmail.com>
Date: 2005-07-11 09:46:58 CEST

On 7/11/05, Ben Reser wrote:
> On Sun, Jul 10, 2005 at 01:19:38PM +0200, Molle Bestefich wrote:
> > http://www.securityfocus.com/bid/14106
> >
> > "
> > Apache is prone to an HTTP request smuggling attack.
> >
> > A specially crafted request with a 'Transfer-Encoding: chunked' header
> > and a 'Content-Length' can cause the server to forward a reassembled
> > request with the original 'Content-Length' header. Due to this, the
> > malicious request may piggyback with the valid HTTP request.
> >
> > It is possible that this attack may result in cache poisoning,
> > cross-site scripting, session hijacking and other attacks.
> > "
> >
> > SecurityFocus lists Apache 2.0.54 and 2.0.55 as vulnerable..
>
> And you're sending this to this list because?

Just a FYI, in case no-one else noticed it.

Seemed relevant since Apache 2.0.54 is supported by Subversion and
recommended by various Subversion docs.

Apologies if it is not.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 11 09:47:55 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.