| HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
| HTTP proxy security issue http://havp.hege.li/forum/viewtopic.php?f=3&t=107 |
Page 1 of 1 |
| Author: | Paul Kosinski [ 03 Jun 2006 01:27 ] |
| Post subject: | HTTP proxy security issue |
"A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid." Does this HTTP 1.0 vs HTTP 1.1 issue that relates to Squid also relate to HAVP? -------------------------------------------------------------- Mozilla Foundation Security Advisory 2006-33 Title: HTTP response smuggling Impact: High Date: June 1, 2006 Reporter: Kazuho Oku (Cybozu Labs) Products: Firefox, Thunderbird http://www.mozilla.org/security/announc ... 06-33.html Fixed in: Firefox 1.5.0.4, Thunderbird 1.5.0.4 Description Kazuho Oku of Cybozu Labs reports via the Information-technology Protection Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers. The first technique takes advantage of Mozilla's lenient handling of HTTP header syntax which was necessary in the past to cope with various real-world servers. One aspect was to accept HTTP headers with space characters between the header name and the colon. A modern proxy with strict syntax checking would ignore these as invalid headers while Mozilla clients might accept themi and interpret one long response as two shorter responses. If a page on the malicious host can make Firefox issue two requests in succession, one to the malicious host and one to the victim site, the second part of the response from the malicious site could be interpreted as the response from the victim site. The content of that response could be a web page with that could steal login cookies or other sensitive data if the user has an account at the victim site. A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid. The proxy will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked") while Mozilla-based clients will accept them and again can be made to interpret one long request as two shorter ones. If the user is not browsing through a proxy the same attacks can still be mounted but would be effective only if the malicious site were at the same IP address as the victim site. |
|
| Author: | hege [ 03 Jun 2006 08:32 ] |
| Post subject: | |
HAVP should work like Squid, so the same "problem" probably applies. But since it's not proxys problem if someone sends HTTP/1.1 responses to HTTP/1.0 requests, I don't know if there is anything to fix. edit: Actually HAVP removes headers like Transfer-Encoding, Squid does not. Cheers, Henrik |
|
| Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|