Hi- Recently our PAAS application started failing external PCI security scans-- specifically the one entitled CVE-2005-2090, "Request Smuggling". As I've tried to isolate this, I think it boils down to Pound takes the last content-length header in a list of multiple headers and passes it on to the back end (just the one header, rather than forwarding them all or rejecting the request). So far my findings are based on testing where Pound is not used for load balancing and this failure does not occur.
Questions: 1) Should I expect all headers to be sent to the back-end, even in a bad request? 2) Should Pound be expected to reject bad requests such as those outlined in CVE-2005-2090? 3) Does the 2.7 version have these improvements? 4) Is there an "official" RPM repo out there that contains a 2.7 install? Pound is very easy to work with and when it comes to network components and security, easy is important-- so I'm not keen on finding a replacement. I can deal with the problems (bad request) if it actually makes it to me. Not sure I'm ready to tackle coding updates to Pound. Thanks D -- David Martineau CTO ContractPal, Inc. p.801.494.1861 x120 [email protected]
