|
|
Subscribe / Log in / New account

golang: HTTP request smuggling

Package(s):golang CVE #(s):CVE-2015-5739 CVE-2015-5740 CVE-2015-5741
Created:August 18, 2015 Updated:July 28, 2016
Description: From the Red Hat bugzilla entry:

There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.

Problems:
* Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.
* Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle)
Exploitations:
In a situation where the net/http agent HTTP communication with the final http clients is using some reverse proxy (reverse proxy cache, SSL terminators, etc), some requests can be made exploiting the net/http HTTP protocol violations.

Alerts:
openSUSE openSUSE-SU-2016:1894-1 go 2016-07-27
Fedora FEDORA-2015-15618 golang 2015-10-01
Fedora FEDORA-2015-15619 golang 2015-10-01
Fedora FEDORA-2015-13002 golang 2015-08-18
Fedora FEDORA-2015-12957 golang 2015-08-18
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds