Report of "HTTP/1.1 Request Smuggling" vulnerability.
Hello all.
We have been provided with a security report that has "HTTP/1.1 Request Smuggling" identified as a high risk. The server is running Litespeed (Apache disabled) and we have been unable to identify where/how to address this.
Can someone offer advice on it?
-
A quick search for "Request Smuggling Litespeed" on DuckDuckGo shows that this is a reported issue with OpenLiteSpeed: https://github.com/litespeedtech/openlitespeed/issues/394 (and issue 395 and 392).
Looking at the Litespeed changelog, this should have been fixed in the commercial product in version v6.1.2 build 2 and OpenLitespeed v1.7.17 (both June 2023) - so it looks like either a regression in the code has caused the problem to reoccur or it is a slightly different issue.
It looks like there is no Litespeed fix available currently available - but hopefully LS will release an update soon.
0
Please sign in to leave a comment.
Comments
1 comment