ewe Web Server Authentication Bypass Vulnerability via Trailers in Chunked Transfer Encoding

A vulnerability allowing authentication bypass or spoofing of proxy-trust headers has been identified in the Gleam web server 'ewe', specifically in versions 0.6.0 prior to 3.0.5. The issue arises in the handling of chunked transfer encoding trailers, where declared trailer fields are merged into request headers after the body has been parsed. However, the current denylist only blocks nine specific header names, leaving security-sensitive headers vulnerable to injection or overwriting by malicious clients. This exploitation can bypass authentication, hijack sessions, and spoof proxy-trust headers in downstream middleware that processes headers after the 'ewe.read_body' function is called.

Impact

Exploitation of this vulnerability allows for authentication bypass, session hijacking, and spoofing of proxy-trust headers, which can disrupt middleware that relies on these headers for processing.

Reproduction

To reproduce this vulnerability, send a POST request with chunked transfer encoding. Include a 'Trailer' header that specifies a security-sensitive header name, such as 'authorization' or 'x-forwarded-for'. After the final chunk, append the trailer field declaration, injecting or overwriting the header value. This can be done using a tool like netcat to send the crafted HTTP request.

Remediation

Users can update to 'ewe' version 3.0.5, which addresses this vulnerability by fixing the trailer handling and expanding the denylist to include security-sensitive headers.