Gazelle HTTP Request Smuggling Vulnerability Due to Improper Header Precedence

A vulnerability allowing HTTP request smuggling has been identified in Gazelle versions through 0.49 for Perl. This issue arises from the application incorrectly prioritizing the 'Content-Length' header over 'Transfer-Encoding: chunked' when both are present in an HTTP request. According to RFC 7230 section 3.3.3, 'Transfer-Encoding' should take precedence. An attacker could exploit this vulnerability to send malicious HTTP requests through a front-end reverse proxy, potentially bypassing security measures or manipulating request handling.

Impact

Exploitation of this vulnerability could lead to HTTP request smuggling, allowing an attacker to send hidden requests that are not properly processed or blocked by security measures. This could disrupt normal application behavior, cause response splitting attacks, or manipulate caching mechanisms, depending on the specific context of the vulnerability.

Reproduction

To reproduce this vulnerability, send an HTTP request to a server running Gazelle through a reverse proxy. Include both 'Content-Length' and 'Transfer-Encoding: chunked' headers in the request. The server will incorrectly process the headers, prioritizing 'Content-Length' and allowing the smuggling of additional requests through the proxy.

Remediation

Users are advised to upgrade to Gazelle version 0.49 or later, or to apply the available patch.