Recent exploits have revealed potential vulnerabilities that may allow unauthorized access to backend servers.
HAProxy, a widely used open source load balancer and reverse proxy, has addressed a vulnerability that could permit attackers to execute HTTP request smuggling attacks.
By delivering a carefully crafted HTTP request, malicious actors could circumvent HAProxy’s filters, leading to unauthorized backend server access.
Header Manipulation
In a statement from HAProxy maintainer Willy Tarreau, he noted that “a correctly modeled HTTP request can lead HAProxy to disregard crucial header fields such as Connection, Content-length, Transfer-Encoding, Host, etc., once they have been parsed and handled to some extent.”
This could confuse the HAProxy system, potentially allowing requests to reach the backend server without proper filtering.
The exploitation of this vulnerability could enable attackers to bypass authentication checks for specific URLs or access restricted content. While the exploit is relatively simple, the severity of its impact can vary based on the web server’s reliance on HAProxy’s filtering systems.
“Moderate knowledge of the HTTP protocol and an understanding of smuggling attacks are sufficient,” Tarreau stated in an interview with The Daily Swig.
“I expect that typical HTTP vulnerability hunters will swiftly grasp the exploitation method and may only need a couple of tests to see their theories validated, which is why we believed additional details were unnecessary.”
Long-Standing Vulnerability
The reported vulnerability originated from a team of researchers from Northeastern University, along with partners from Akamai Technologies and Google, who conducted testing.
According to Tarreau, the issue has persisted since the launch of HAProxy version 2.0 in June 2019.
“Any configuration that supports HTTP/1 for both client and server is at risk unless it operates on a patched version or follows my proposed workaround,” Tarreau explained. “This means nearly all exposed deployments are vulnerable.”
Want to stay updated with the most recent web security news? Subscribe to our newsletter here
Systems installed deeper within the infrastructure, such as API gateways, are not affected since no application or forward proxy will generate such invalid requests.
Tarreau continues to actively maintain seven versions of HAProxy and has issued corresponding fixes for all.
“For most users, a load balancer is a vital part of their infrastructure, and they typically won’t upgrade unless absolutely necessary or if new features are required,” Tarreau stated.
“As such, we maintain each stable version for five years, giving users ample time to test and transition to the latest version when they are ready.”
Temporary Solutions
For users unable to upgrade immediately, Tarreau has shared a temporary configuration-based workaround that mitigates the exploitation risk by identifying the internal conditions caused by the vulnerability.
For those on legacy HAProxy versions, Tarreau’s notice advises: “If you’re using an older version… the best immediate step is to upgrade to the next available branch, which will minimize unexpected surprises or significant changes.”
“Those who haven’t updated in five years shouldn’t ask for help; if you didn’t prioritize upgrades, it’s unlikely anyone will assist you in catching up.”
This isn’t the first significant HTTP request smuggling issue to affect HAProxy, with The Daily Swig previously reporting on a similar vulnerability disclosed by JFrog researchers in September 2021.
YOU MAY ALSO FIND THESE ARTICLES INTERESTING OAuth ‘masterclass’ crowned top web hacking technique of 2022
Based on an article from ports wigger: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
