![]() ![]() ![]() Generated or combined by an upstream message processor, then the Indicating that duplicate Content-Length header fields have been List of identical decimal values (e.g., "Content-Length: 42, 42"), Single Content-Length header field with a field value containing a If a message is received that has multiple Content-Length headerįields with field-values consisting of the same decimal value, or a 1- Double content-length support:Īny request with 2 Content-Length headers MUST be rejected. 'HTTP Smuggling attacks' paradigm is based on chaining syntax errors on multipleĪctors, so everyone should detect the strange crafted headers and behave properly. Performing such attacks on a reverse proxyĬache, or a common HTTP server, is more valuable for an attacker. Note that, as explained later, Pound, being an SSl terminator, is not the mostĬritical piece in a smuggling attack. I have reported similar issues in a lot of projects, small ones, and sometimesīigger ones, so it could be interesting to study some of these 'crafted headers'. It was common before 2005 and before RFC 7230. Some specific rare issues also, like NULL character handling). Most of the issues are in fact very common mistakes with HTTP parsers (with CVE-2016-10711Īpsis Pound before 2.8a allows request smuggling via crafted headers It contains some feature removal (dynamic scaling) and security syntax filters on HTTP Smuggling issues. The source code diff for version 2.8 is not very big: ( fossies1 | fossies2 | fossies3). The first fixed version was 2.8a (experimental), and there was a very long time for which only this experimental version was available. On the official project page the officiel stable version is now Pound-2.8 and contains the fix. If you use a Suse package you have the security updates available. If we check the Debian status page for this package today () we have a warning that the package has been removed because it cannot be find in any development repository, and 3 actions : outdated version, 1 ignored security issue in stretch (stable) and one in jessie (oldstable).įrom my own test I cannot install it on jessie, but on stretch I'm still able to install it, with the security issues inside. OpenSSL and the lack of activity on the project contributed greatly to the decision. The Debian project removed the package, not only because of that CVE, where a patch was available,įrom this discussion it appears that compatibility with new versions of May have triggered some warnings about the project activity. The project activity has been slowing down and this last CVE published in early 2018 If you check the official website you'll see pound decribed as a load balancer, a reverse proxy, an SSL wrapper but also a sanitizer:Īn HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones. (handling https and certificate in front of a more classical http backend).īack in time it was a simple and efficient way of adding SSL for a website. ![]() Pound is an Open Source HTTP load balancer, usually used as an SSL/TLS terminator English version ( Version Française disponible sur makina corpus). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |