Libsoup HTTP Request Smuggling Vulnerability via Unsigned to Signed Conversion Error

A vulnerability in Libsoup allows remote attackers to perform HTTP request smuggling by exploiting an unsigned to signed conversion error in the 'soup_body_input_stream_read_chunked()' function. This issue arises when Libsoup is used as a proxy in front of a non-Libsoup backend server, or vice versa. Exploitation of this vulnerability can lead to bypassing security controls, web cache poisoning, or unauthorized access.

Impact

Exploitation causes HTTP message boundary desynchronization on keep-alive connections, allowing the server to process two requests on one connection. This could be used to bypass security mechanisms and gain unauthorized access to web applications.

Reproduction

The vulnerability can be reproduced by sending a malicious HTTP request with a chunked transfer encoding that includes an oversized chunk size. This can be done using a tool like Netcat to manually craft the HTTP request. The Libsoup server will misinterpret the chunked data, leading to request smuggling by processing two requests as one.

Remediation

Users should update to the latest version of Libsoup, where this vulnerability has been fixed.