Multiple devices process HTTP requests inconsistently

Overview

Multiple interconnected devices process valid HTTP request headers inconsistently and in this may manner may allow a remote attacker to poison a cache, conduct cross-site scripting attacks, and hijack user sessions. Attackers may use these flaws to launch a class of attacks referred to as HTTP response splitting.

Description

HTTP request headers contain parameters to describe an HTTP request, such as a request’s size, type, source, and destination. Entities that handle HTTP data, such as web servers, web caches, and proxy servers, may not process HTTP requests in a consistent manner. A remote attacker may be able to leverage this inconsistency to force incorrect and possibly malicious data to be returned in response to a valid request.

By including multiple Content-length headers along with crafted, embedded carriage return-line feed (CRLF) pairs within the request data, the attacker may be able to send multiple requests through the web cache or browser cache in between the user and web server. The attacker is then able to control the content of the second response from the target in question, and can now perform the following attacks:

Cross-Site Scripting (XSS): The XSS attack can now be attempted even without complete control of the Location header. Web Cache Poisoning: A web cache may be poisoned into accepting data supplied by the attacker and indexing it as the true data for a given page. Cross User Attacks: Multiple successive users may be served data supplied by the attacker, allowing the attacker to set or read session state and perform other tasks. Page Hijacking: Some leakage of confidential user information may occur. Browser Cache Poisoning: Similar to the web cache poisoning scenario, a user’s web browser may cache attacker-controlled data.

In some cases, this may also lead to a reversal of the attack scenario if the user downloads content which, when loaded or executed, carries out the attack in a manner that delivers protected or otherwise inaccessible content to the attacker.

HTTP Response Splitting is outlined in depth in the Watchfire HTTP Response Splitting whitepaper.

---

Impact

A remote unauthenticated attacker may be able to inject malicious content into a web or browser cache, to perform cross-site scripting attacks, to hijack user and session data, or to bypass content protection mechanisms. These flaws are platform independent.

---

Solution

Apply an update
Contact your vendor for patches, updates, fixes, and workarounds.

---

Do not follow unsolicited links

Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
**
Check Certificates**

US-CERT recommends that prior to providing any sensitive information over a secure (HTTPS) connection, you check the name recorded in the certificate to be sure that it matches the name of the site to which you think you are connecting.

---

Vendor Information

768702

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

IBM Corporation __ Affected

Updated: July 25, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Lotus Domino is affected. IBM has published details, fixes, and workarounds in the “Lotus Domino allows HTTP header injection” note. The issue is addressed in Domino 6.5.4 and 6.0.5.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23768702 Feedback>).

Squid __ Affected

Updated: July 25, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Team Squid has created a patch for the current release version of Squid available online here.

This flaw has been patched in Squid 2.5.STABLE8.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23768702 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <https://www.watchfire.com/securearea/whitepapers.aspx?id=8&gt;
• <http://www.securityfocus.com/bid/12433&gt;

Acknowledgements

Thanks to Watchfire for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs:	CVE-2005-0175
Severity Metric:	10.08 Date Public: