Starman HTTP Request Smuggling Vulnerability

A vulnerability allowing HTTP request smuggling has been identified in Starman versions prior to 0.4018 for Perl. The issue arises from improper header precedence, where Starman incorrectly prioritizes 'Content-Length' over 'Transfer-Encoding: chunked' when both headers are present. According to RFC 7230 section 3.3.3, 'Transfer-Encoding' should take precedence. This vulnerability can be exploited to send malicious HTTP requests through a front-end reverse proxy.

Impact

Exploitation of this vulnerability allows for HTTP request smuggling, where an attacker can send additional requests that are not properly handled by the server or proxy, potentially leading to cache poisoning or other attacks.

Reproduction

To reproduce this vulnerability, send an HTTP request with both 'Content-Length' and 'Transfer-Encoding: chunked' headers. The 'Content-Length' should be set to a value that is intentionally misleading, such as '5', while the chunked body includes 'Hello World'. This request can be sent using a TCP socket or through a tool that allows for manual HTTP header manipulation.

Remediation

Users can upgrade to Starman version 0.4018 or later, where this vulnerability has been fixed.