Security News > 2021 > September > HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack
A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.
HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user.
It's therefore crucial that the requests are processed correctly at both ends so that the servers can determine where one request ends and the next one begins, a failure of which can result in a scenario where malicious content appended to one request gets added to the start of the next request.
In other words, due to a problem arising from how front-end and back-end servers work out the beginning and end of each request by using the Content-Length and Transfer-Encoding headers, the end of a rogue HTTP request is miscalculated, leaving the malicious content unprocessed by one server but prefixed to the beginning of the next inbound request in the chain.
"The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request - specifically - in the logic that deals with Content-Length headers," researchers from JFrog Security said in a report published on Tuesday.
In a potential real-world attack scenario, the flaw could be used to trigger an HTTP request smuggling attack with the goal of bypassing ACL rules defined by HAProxy, which enables users to define custom rules for blocking malicious requests.
News URL
Related news
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Cyber attacks on critical infrastructure show advanced tactics and new capabilities (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (source)
- Critical Rust flaw enables Windows command injection attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack (source)
- Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks (source)