Hi, we are using pound version pcidss-v2.6 (the latest version) on a CentOS 6. We failed our pcidss scan due to some problems with "transfer-Encoding: Chunked". When there is a http request that uses Transfer-Encoding: Chunked, the pound-system closes the connection. This is not the right behavior for a patched system. A patched system will keep the connection open and deal with it in a different way.
this is the behavior of our pound: [root@powerpound ~]# telnet xx.xx.xx.xx 80 Trying xx.xx.xx.xx... Connected to xx.xx.xx.xx. Escape character is '^]'. GET / HTTP/1.1 Host: iopjfds Transfer-Encoding: Chunked AAAAAAAAConnection closed by foreign host. ---------------------------------------- this is the behavior of a patched system: [root@webserver ~]# telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to webserver (127.0.0.1). Escape character is '^]'. GET / HTTP/1.1 Host: iopjfds Transfer-Encoding: Chunked AAAAAAAA ->Connection will not be closed. Any Suggestions are welcome ! This is the Information we got from the scan-program: THREAT: Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems. Various products, such as StrongHold, Oracle 9iAS and IBM Websphere, use or bundle Apache. The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerability has been discovered in the Apache implementation of 'Chunked Encoding'. When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is due to improper (signed) interpretation of an unsigned integer value. On Windows and Netware platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process to crash on these platforms may result in a denial of service. The link http://httpd.apache.org/info/security_bulletin_20020617.txt provides additional information on this vulnerability for Apache running on Windows. IMPACT: This vulnerability can be exploited by an attacker to cause a Denial of Service and even execute arbitrary code on the vulnerable machine. SOLUTION: This vulnerability has been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest version. Kind regards fatcharly -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
