Apache – CVE-2013-5704

Description

Kayran has detected a flaw in the way httpd is handling HTTP Trailer headers when processing requests using chunked encoding. Also known as CVE-2013-5704.
We can use HTTP trailers to replace HTTP headers during the processing of the request.

That could potentially “confuse” modules that examined or modified request headers.

Due to Improper Authentication and the “mod_headers” module in the Apache HTTP Server remote attackers can bypass “RequestHeader unset” directives.
They do that by placing a header in the trailer portion of data sent with chunked transfer coding.

Further abusing it, attackers could bypass the header restrictions defined with mod_headers.

Recommendation

To prevent CVE-2013-5704, update the version of the Apache httpd being used to either 2.2.29, or to version 2.4.12 and higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704

https://cwe.mitre.org/data/definitions/287.html

< Return to all Vulnerabilities

Bug Bounties

As pirates, we all love plundering, we all love raiding, but mostly, we all love bounties, especially Bug Bounties. Let’s talk about it. Bug Bounties

Read More »

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »