Language Selection

English French German Italian Portuguese Spanish

Data 'smuggling' opens websites to attack

Filed under

Thousands of websites may be at risk from a new form of network attack that involves burying harmful packets of data within seemingly legitimate ones.

Researchers at computer security firm Watchfire, in Massachusetts, US, discovered the attack technique, which they dub "HTTP Request Smuggling" (HRS). It exploits discrepancies in the way different combinations of software deal with the language used to transfer web pages, called Hypertext Transfer Protocol (HTTP).

Carefully crafting HTTP packets to make use of these discrepancies could enable hackers to carry out a range of nefarious acts, the researchers say. For example, an attacker could replace pages on a web site, or sneak destructive code past defences designed to filter out unsafe data packets.

The problem affects scores of different products and there are many possible variations, the researchers say. "Whenever HTTP requests originating from a client pass through more than one entity that parses [processes] them, there is a good chance that these entities are vulnerable to HRS," the researchers write in a paper outlining the attack technique.

One of the simplest forms of HTTP smuggling involves sending packets of data containing multiple "content-length" header tags, instead of just one. The researchers found that including two content-length tags causes different web programs to react differently. Some will process the first header and ignore the second while others will reject the first tag and go straight to the next one.

Laurie expects HTTP smuggling to be exploited by hackers before long and that the only sure way to counteract the threat is to carefully follow the HTTP guidelines strictly. "It is interesting that being liberal in what you accept is the base cause of this misbehaviour," Laurie says. "Perhaps it is time the idea was revisited."

Full Story.

More in Tux Machines

lkml: remove eight obsolete architectures

In the end, it seems that while the eight architectures are extremely different, they all suffered the same fate: There was one company in charge of an SoC line, a CPU microarchitecture and a software ecosystem, which was more costly than licensing newer off-the-shelf CPU cores from a third party (typically ARM, MIPS, or RISC-V). It seems that all the SoC product lines are still around, but have not used the custom CPU architectures for several years at this point. Read more

If you hitch a ride with a scorpion… (Coverity)

I haven’t seen a blog post or notice about this, but according to the Twitters, Coverity has stopped supporting online scanning for open source projects. Is anybody shocked by this? Anybody? [...] Not sure what the story is with Coverity, but it probably has something to do with 1) they haven’t been able to monetize the service the way they hoped, or 2) they’ve been able to monetize the service and don’t fancy spending the money anymore or 3) they’ve pivoted entirely and just aren’t doing the scanning thing. Not sure which, don’t really care — the end result is the same. Open source projects that have come to depend on this now have to scramble to replace the service. [...] I’m not going to go all RMS, but the only way to prevent this is to have open tools and services. And pay for them. Read more

Easily Fund Open Source Projects With These Platforms

Financial support is one of the many ways to help Linux and Open Source community. This is why you see “Donate” option on the websites of most open source projects. While the big corporations have the necessary funding and resources, most open source projects are developed by individuals in their spare time. However, it does require one’s efforts, time and probably includes some overhead costs too. Monetary supports surely help drive the project development. If you would like to support open source projects financially, let me show you some platforms dedicated to open source and/or Linux. Read more

KDE: Kdenlive, Kubuntu, Elisa, KDE Connect

  • Kdenlive Café #27 and #28 – You can’t miss it
    Timeline refactoring, new Pro features, packages for fast and easy install, Windows version and a bunch of other activities are happening in the Kdenlive world NOW!
  • Kubuntu 17.10 Guide for Newbie Part 9
    This is the 9th article, the final part of the series. This ninth article gives you more documentations to help yourself in using Kubuntu 17.10. The resources are online links to certain manuals and ebooks specialized for Kubuntu basics, command lines usage, software installation instructions, how to operate LibreOffice and KDE Plasma.
  • KDE's Elisa Music Player Preparing For Its v0.1 Released
    We have been tracking the development of Elisa, one of several KDE music players, since development started about one year ago. Following the recent alpha releases, the KDE Elisa 0.1 stable release is on the way. Elisa developers are preparing the Elisa v0.1 release and they plan to have it out around the middle of April.
  • KDE Connect Keeps Getting Better For Interacting With Your Desktop From Android
    KDE Connect is the exciting project that allows you to leverage your KDE desktop from Android tablets/smartphones for features like sending/receiving SMS messages from your desktop, toggling music, sharing files, and much more. KDE Connect does continue getting even better.
  • First blog & KDE Connect media control improvements
    I've started working on KDE Connect last November. My first big features were released yesterday in KDE Connect 1.8 for Android, so cause for celebration and a blog post! My first big feature is media notifications. KDE Connect has, since it's inception, allowed you to remotely control your music and video's. Now you can also do this with a notification, like all Android music apps do! So next time a bad song comes up, you don't need to switch to the KDE Connect app. Just click next on the notification without closing you current app. And just in case you don't like notifications popping up, there's an option to disable it.