HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:53


Board index » HAVP Support » General Support

All times are UTC + 2 hours [ DST ]



Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 
  Print view Previous topic | Next topic 
Author Message
Paul Kosinski
PostPosted: 03 Jun 2006 01:27 
"A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid."

Does this HTTP 1.0 vs HTTP 1.1 issue that relates to Squid also relate to HAVP?

--------------------------------------------------------------

Mozilla Foundation Security Advisory 2006-33
Title: HTTP response smuggling
Impact: High
Date: June 1, 2006
Reporter: Kazuho Oku (Cybozu Labs)
Products: Firefox, Thunderbird

http://www.mozilla.org/security/announc ... 06-33.html

Fixed in: Firefox 1.5.0.4, Thunderbird 1.5.0.4

Description
Kazuho Oku of Cybozu Labs reports via the Information-technology Protection Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers.

The first technique takes advantage of Mozilla's lenient handling of HTTP header syntax which was necessary in the past to cope with various real-world servers. One aspect was to accept HTTP headers with space characters between the header name and the colon. A modern proxy with strict syntax checking would ignore these as invalid headers while Mozilla clients might accept themi and interpret one long response as two shorter responses. If a page on the malicious host can make Firefox issue two requests in succession, one to the malicious host and one to the victim site, the second part of the response from the malicious site could be interpreted as the response from the victim site. The content of that response could be a web page with that could steal login cookies or other sensitive data if the user has an account at the victim site.

A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid. The proxy will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked") while Mozilla-based clients will accept them and again can be made to interpret one long request as two shorter ones.

If the user is not browsing through a proxy the same attacks can still be mounted but would be effective only if the malicious site were at the same IP address as the victim site.
Top
  
 
hege
 Post subject:
PostPosted: 03 Jun 2006 08:32 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
HAVP should work like Squid, so the same "problem" probably applies.

But since it's not proxys problem if someone sends HTTP/1.1 responses to HTTP/1.0 requests, I don't know if there is anything to fix.

edit: Actually HAVP removes headers like Transfer-Encoding, Squid does not.

Cheers,
Henrik
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 

Board index » HAVP Support » General Support

All times are UTC + 2 hours [ DST ]

Who is online

Users browsing this forum: Yahoo [Bot] and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group