Vigil@nce - Apache httpd: bypassing mod_headers unset
April 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use HTTP Chunked data, in order to bypass the
"RequestHeader unset" directive of Apache httpd mod_headers.
– Impacted products: Apache httpd
– Severity: 2/4
– Creation date: 01/04/2014
DESCRIPTION OF THE VULNERABILITY
The HTTP Transfer-Encoding header can use the "chunked" type, to
indicate that data is split in chunks before being transmitted.
The "RequestHeader unset Abc" directive of the mod_headers module
of Apache httpd indicates to remove the HTTP Abc header. However,
if an attacker puts the HTTP Abc header in a chunked part,
mod_headers does not remove it.
An attacker can therefore use HTTP Chunked data, in order to
bypass the "RequestHeader unset" directive of Apache httpd
mod_headers.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-httpd-bypassing-mod-headers-unset-14503