CVE-2005-2088

The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
References
Link Resource
http://seclists.org/lists/bugtraq/2005/Jun/0025.html Issue Tracking Mailing List Third Party Advisory
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf Broken Link
http://www.securiteam.com/securityreviews/5GP0220G0U.html Broken Link Exploit
http://securitytracker.com/id?1014323 Broken Link Third Party Advisory VDB Entry
http://www.debian.org/security/2005/dsa-803 Third Party Advisory
http://www.debian.org/security/2005/dsa-805 Third Party Advisory
http://www.ubuntu.com/usn/usn-160-2 Broken Link
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html Broken Link
http://docs.info.apple.com/article.html?artnum=302847 Broken Link
http://www.securityfocus.com/bid/15647 Third Party Advisory VDB Entry
http://secunia.com/advisories/17813 Not Applicable
http://secunia.com/advisories/14530 Not Applicable
http://secunia.com/advisories/17487 Not Applicable
http://www.securityfocus.com/bid/14106 Third Party Advisory VDB Entry
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1 Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1 Broken Link
http://secunia.com/advisories/19072 Not Applicable
http://secunia.com/advisories/19073 Not Applicable
http://www.redhat.com/support/errata/RHSA-2005-582.html Third Party Advisory
http://www.apache.org/dist/httpd/CHANGES_1.3 Vendor Advisory
http://www.apache.org/dist/httpd/CHANGES_2.0 Vendor Advisory
http://secunia.com/advisories/19317 Not Applicable
http://secunia.com/advisories/17319 Not Applicable
http://www-1.ibm.com/support/search.wss?rs=0&q=PK13959&apar=only Third Party Advisory
http://www-1.ibm.com/support/search.wss?rs=0&q=PK16139&apar=only Third Party Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.600000 Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm Third Party Advisory
http://secunia.com/advisories/19185 Not Applicable
http://www.novell.com/linux/security/advisories/2005_46_apache.html Broken Link
http://www.novell.com/linux/security/advisories/2005_18_sr.html Broken Link
https://secure-support.novell.com/KanisaPlatform/Publishing/741/3222109_f.SAL_Public.html Broken Link
http://secunia.com/advisories/23074 Not Applicable
http://www.mandriva.com/security/advisories?name=MDKSA-2005:130 Broken Link
http://securityreason.com/securityalert/604 Exploit Third Party Advisory
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828 Broken Link
http://www.vupen.com/english/advisories/2006/0789 Permissions Required
http://www.vupen.com/english/advisories/2006/1018 Permissions Required
http://www.vupen.com/english/advisories/2005/2140 Permissions Required
http://www.vupen.com/english/advisories/2006/4680 Permissions Required
http://www.vupen.com/english/advisories/2005/2659 Permissions Required
http://marc.info/?l=apache-httpd-announce&m=112931556417329&w=3 Mailing List Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A840 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1629 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1526 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1237 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11452 Third Party Advisory
http://www.securityfocus.com/archive/1/428138/100/0/threaded Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:3.0:*:*:*:*:*:*:*

Information

Published : 2005-07-04 21:00

Updated : 2023-02-12 17:16


NVD link : CVE-2005-2088

Mitre link : CVE-2005-2088


JSON object : View

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

apache

  • http_server