HTTP response smuggling
- June 1, 2006
- Kazuho Oku (Cybozu Labs)
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 18.104.22.168
- SeaMonkey 1.0.2
- Thunderbird 22.214.171.124
Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers.
The first technique takes advantage of Mozilla's lenient handling of HTTP header syntax which was necessary in the past to cope with various real-world servers. One aspect was to accept HTTP headers with space characters between the header name and the colon. A modern proxy with strict syntax checking would ignore these as invalid headers while Mozilla clients might accept them and interpret one long response as two shorter responses. If a page on the malicious host can make Firefox issue two requests in succession, one to the malicious host and one to the victim site, the second part of the response from the malicious site could be interpreted as the response from the victim site. The content of that response could be a web page that could steal login cookies or other sensitive data if the user has an account at the victim site.
A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid. The proxy will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked") while Mozilla-based clients will accept them and again can be made to interpret one long request as two shorter ones.
If the user is not browsing through a proxy the same attacks can still be mounted but would be effective only if the malicious site were at the same IP address as the victim site.
Upgrade to a fixed version.