Description
Cytrix has detected that a HTTP request smuggling attack against chunked request parser is possible in the Version of Apache HTTP Server being used.
CVE-2015-3183 is categorized as a ‘Improper Input Validation’ vulnerability (CWE-20).
These vulnerabilities occur when the product receives an input or data, but it does not validate or incorrectly validates that the input actually has the properties that are required to process the data safely and correctly.
A bug was found in the chunked transfer coding implementation in the Apache HTTP Server being used.
Due to not properly parsing chunk headers, remote attackers could initiate HTTP request ‘Smuggling Attacks’ using a crafted request.
An attacker could force the server to misinterpret the request’s length, which allows to initiate Cache Poisoning or Credential Hijacking when an intermediary proxy is being used.
There’s a chance that this vulnerability will allow attackers to modify system files and information.
Recommendation
To fix CVE-2015-3183, upgrade the version of Apache HTTP Server being used to either 2.2.31 or 2.4.16.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
https://cwe.mitre.org/data/definitions/20.html