Apache Httpd < 2.0.55: HTTP Request Spoofing

ID HTTPD:EC51B446361738A66C79348A9E0F0C80
Type httpd
Reporter Apache Team Foundation
Modified 2005-10-14T00:00:00


A flaw occured when using the Apache server as a HTTP proxy. A remote attacker could send a HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, causing Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request. This could allow the bypass of web application firewall protection or lead to cross-site scripting (XSS) attacks.