Vigil@nce - Varnish: cache poisoning via CR
April 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use special HTTP headers with Varnish, in order to
read or alter cache data.
Impacted products: Varnish
Severity: 2/4
Creation date: 23/03/2015
DESCRIPTION OF THE VULNERABILITY
The HTTP protocol specifies that headers are separated by the
"\r\n" (CR Carriage Return - LF Line Feed) sequence.
However, Varnish accepts headers separated only by the CR
character. If the HTTP processing chain does not use the same
rules, some HTTP queries/replies may be interpreted in a different
way, which may lead to a cache corruption, and to the delivery of
data belonging to another session.
An attacker can therefore use special HTTP headers with Varnish,
in order to read or alter cache data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Varnish-cache-poisoning-via-CR-16444