Security News > 2021 > September > HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack
A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.
HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user.
It's therefore crucial that the requests are processed correctly at both ends so that the servers can determine where one request ends and the next one begins, a failure of which can result in a scenario where malicious content appended to one request gets added to the start of the next request.
In other words, due to a problem arising from how front-end and back-end servers work out the beginning and end of each request by using the Content-Length and Transfer-Encoding headers, the end of a rogue HTTP request is miscalculated, leaving the malicious content unprocessed by one server but prefixed to the beginning of the next inbound request in the chain.
"The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request - specifically - in the logic that deals with Content-Length headers," researchers from JFrog Security said in a report published on Tuesday.
In a potential real-world attack scenario, the flaw could be used to trigger an HTTP request smuggling attack with the goal of bypassing ACL rules defined by HAProxy, which enables users to define custom rules for blocking malicious requests.
News URL
Related news
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)