Vigil@nce - Apache Tomcat: data injection via Content-Length
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use two Content-Length headers in order to alter
behaviour of HTTP data analysis.
Impacted products: Tomcat
Severity: 1/4
Creation date: 25/02/2014
DESCRIPTION OF THE VULNERABILITY
The Content-Length header indicates size of HTTP data.
When two or several Content-Length headers are present, each
entity (client, proxy, server) can take a different decision:
– use first value
– use last value
– etc.
These different behaviors for example permit to inject data to
corrupt a cache or obtain sensitive information
(VIGILANCE-VUL-4047 (https://vigilance.fr/tree/1/4047?w=66901),
VIGILANCE-VUL-6675 (https://vigilance.fr/tree/1/6675?w=66901)).
The HTTP and AJP connectors of Tomcat server do not ignore these
multiple headers, and are thus impacted by this attack family.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-Tomcat-data-injection-via-Content-Length-14307