CVE 2013 5704

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

1. The fix commit for the vulnerability (a git hash):

   • bd34b9d92894b7fc01810fc11a059fa30067e431

2. The commit that introduced the vulnerability (a git hash):

   • 64c435c46f94eb409e4a245408cd870defe5947f

3. A description of the coding mistake that led to the vulnerability:

   • HTTP Trailer headers were improperly handled when processing requests that were using chunked encoding. HTTP trailers could be used to replace HTTP headers late during request processing. Trailers were not being merged into headers properly. This could lead to a bypass of header restrictions defined with mod_headers.

4. Who found it?

   • [Joe Orton] (https://github.com/notroj) -- "Hacker of httpd (and more) at Red Hat"
   • [Eric Covener] (https://github.com/covener) -- Apache Developer
   • Edward Lu: Chaosed0@gmail.com
   • Yann Ylavic

5. Who fixed it?

   • One of the same people that found the vulnerability fixed it: [Eric Covener] (https://httpd.apache.org/contributors/#covener)

6. Is this code tested by automated tests?

   • Tests exist for the code, but there doesn't appear to be automated tests.

7. Read the discussions about the code between introduction and fix

   • [Discussion of fix] (http://marc.info/?t=140545152300004&r=1&w=2)
     • Initally there were test regressions and these regressions were fixed
   • [Developer noting they wanted to chunk trailers for the fix] (http://marc.info/?l=apache-httpd-dev&m=139937677914485&w=2)
   • Much of the conversation about the this security bug is polite technical conversation about a fix. The conversation is split over a few months, [starting in October 2013 and not picking up until April 2014] (http://www.gossamer-threads.com/lists/apache/dev/430594?do=post_view_threaded#430594)
   • Someone from Red Hat [trying to create a separate thread about the issue] (https://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2)

8. Was there a bounty awarded? No

9. Evidence of exploit

   • Blog post that takes about the ability to bypass filter with this vulnerability
   • Apple Security Content post for OS X Server v5.0.3, vulnerability is listed under apache
   • Red Hat Security Update for Red Hat JBos Web Server 3.0.2, vulnerability is listed under details with a short description

10. Any mention of how it was found? Fuzzer? Manual?

    • No found mention, probably manual

11. Any other interesting facts about this vulnerability that you would tell someone

    • [Conversation about adding trailers in 2010] (http://marc.info/?l=apache-httpd-dev&m=128096936502934&w=2)