Kayran has detected a flaw in the way httpd is handling HTTP Trailer headers when processing requests using chunked encoding. Also known as CVE-2013-5704.
We can use HTTP trailers to replace HTTP headers during the processing of the request.
That could potentially “confuse” modules that examined or modified request headers.
Due to Improper Authentication and the “mod_headers” module in the Apache HTTP Server remote attackers can bypass “RequestHeader unset” directives.
They do that by placing a header in the trailer portion of data sent with chunked transfer coding.
Further abusing it, attackers could bypass the header restrictions defined with mod_headers.
CVSS Version 2.0 – 6.1 Medium
To prevent CVE-2013-5704, update the version of the Apache httpd being used to either 2.2.29, or to version 2.4.12 and higher.