A vulnerability in Apache 2.4.52 was discovered by James Kettle, Director of Research at PortSwigger, that could allow attackers to potentially perform HTTP Request Smuggling against backend web applications. The issue arises from the way that Apache versions 2.4.52 and earlier fail to close inbound connections when errors are encountered discarding the HTTP request body.
HTTP Request Smuggling is an exploit that abuses the potential inconsistencies in how a front-end HTTP-enabled firewall, or a front-end proxy/load balancer and a back-end web server, interpret the Content-Length and Transfer-Encoding HTTP headers. Both headers are used to specify the length of the HTTP request, and an RFC compliant HTTP request may only include one or the other. Request smuggling can occur when an HTTP request is customized to send both headers. This can lead to the front-end or back-end servers incorrectly interpreting the request, allowing a malicious HTTP query to pass through.
HTTP Request Smuggling allows for numerous types of malicious activity:
⦁ Security filter bypass – Since this attack involves passing a malicious query directly to a back-end web server, front-end security filters may be ignored, allowing sensitive information to be exposed.
⦁ Web cache poisoning – If the front-end or middleware that separates the attacker from the back-end web server are configured as caching servers, an attacker abusing request smuggling could potentially poison the cache with invalid responses entries. If the attack succeeds, future requests could return the malicious query to other users, redirecting a user to a malicious website.
⦁ Client authentication bypass/hijacking – If an attacker is able to intercept legitimate end-user queries, they can append the end-user’s query to their own malicious query and present it to a front-end proxy using the same connection. If a web server is vulnerable to request smuggling, the request could be treated as a single request. This can allow an attacker to hijack the end-user’s valid sessions, cookies, and/or other HTTP authentication details in order to perform malicious actions as a privileged user. This activity is more difficult to achieve but presents a considerable threat.