Article delegate-en/3001 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A13051@delegate.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] mod. against HRS -- 8.11.5-pre1 / 9.0.3-pre28
07 Jul 2005 05:47:05 GMT ysato@delegate.org (Yutaka Sato)
The DeleGate Project


I modified DeleGate to make it robust against malicious usage of DeleGate
as a HTTP-proxy, as noticed in:
<URL:http://www.securitytracker.com/alerts/2005/Jul/1014359.html>
<URL:http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf>

The modified versions are uploaded as 8.11.5-pre1 and 9.0.3-pre28(ALPHA) at
<URL:ftp://ftp.delegate.org/pub/DeleGate/>

The attacking scheme exploits Connection:Keep-Alive to make a spoofed
response message, crafting the boundary of request messages. 
Thus I modified HTTP-DeleGate to disable Keep-Alive immediately after
it detected any request with body, i.e. with "Content-Length" header.


diff -c1r delegate9.0.3-pre27/src/http.c delegate9.0.3-pre28/src/http.c
*** delegate9.0.3-pre27/src/http.c	Mon Jun 20 16:28:21 2005
--- delegate9.0.3-pre28/src/http.c	Thu Jul  7 12:29:14 2005
***************
*** 4405,4406 ****
--- 4405,4412 ----
  		}else
+ 		if( fnlen = STRH(req,F_ContLeng) ){
+ 			sv1log("#HT11 Don't Keep-Alive [%s] with body: %s",
+ 				REQ_METHOD,req);
+ 			WillKeepAlive = 0;
+ 			DontKeepAlive = 1;
+ 		}else
  		if( fnlen = STRH(req,F_AccEncode) ){

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V