Recently published a pretty big vulnerability for Apache 1.x and 2.x pass Squid.
The vulnerability is Intentionally incomplete HTTP requests and this makes the server open a connection waiting for a header.
This would be the header that is sent to the server:
GET / HTTP/1.1\r\n
Host: host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n
So far, no one knows any apache configuration to protect itself from this attack, what could be done is to increase the number of requests to add complexity for the attacker, however this would not be a solution to the problem, moreover Tomasz Miklos, mentions that the attack succeeded counteract a known Perlbal reverse proxy.
Hopefull news or security updates for apache, good news for those using IIS, as this vulnerability does not affect them.
The vulnerability is Intentionally incomplete HTTP requests and this makes the server open a connection waiting for a header.
This would be the header that is sent to the server:
GET / HTTP/1.1\r\n
Host: host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n
So far, no one knows any apache configuration to protect itself from this attack, what could be done is to increase the number of requests to add complexity for the attacker, however this would not be a solution to the problem, moreover Tomasz Miklos, mentions that the attack succeeded counteract a known Perlbal reverse proxy.
Hopefull news or security updates for apache, good news for those using IIS, as this vulnerability does not affect them.
Comments