W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: (Re: issue #93) Duplicated headers and security vulnerabilities

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 4 Jan 2008 21:00:15 +1100
Cc: ietf-http-wg <ietf-http-wg@w3.org>
Message-Id: <41E98975-14FD-49F8-8D53-30EEE486E069@mnot.net>
To: Yutaka OIWA <y.oiwa@aist.go.jp>

Now issue 95;
   <http://www3.tools.ietf.org/wg/httpbis/trac/ticket/95>


On 05/12/2007, at 5:28 AM, Yutaka OIWA wrote:

>
> Dear members,
>
> This is a security problem related to issue #93 and my previous mail
> ([NEW ISSUE] Content-Length and Transfer-Encoding: security  
> implications).
>
> Many servers and proxies accept messages containing two Content- 
> Length:
> headers in different manners: some interpret the first header, and  
> some
> do the latter.  This has caused "request/response smuggling attacks",
> when any pair of the server, the proxy, and the clients involved are
> interpreting those differently.  The outcome of the attack is  
> severe: it
> allows cross-site content injection.  To fix this, I recommend to  
> add the
> following note to the specification.
>
>> Messages MUST NOT include any hop-to-hop header twice.  When the  
>> server
>> received such a request, it MUST respond with 400 (Bad Request) and
>> close the connection.  When the client received such a response, it  
>> MUST
>> discard the response and close the connection.  The client MUST NOT
>> accept any responses which follow such an invalid response in a
>> keep-alive connection.
>
> The requirement words may be "SHOULD" and "SHOULD NOT", and the  
> restricted
> headers can be limited to Connection, Transfer-Encoding, and Content- 
> length.
>
> -- 
> Yutaka OIWA, Ph.D.                                       Research  
> Scientist
>                            Research Center for Information Security  
> (RCIS)
>    National Institute of Advanced Industrial Science and Technology  
> (AIST)
>                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp 
> >
> OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1  
> 995D D3E1]
>
>


--
Mark Nottingham     http://www.mnot.net/
Received on Friday, 4 January 2008 10:00:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:36 GMT