After reading http://www.acunetix.com/blog/whitepaper-http-parameter-pollution/ I’ve tried to check that one for HTTP headers. So, with Apache/2.2.15 (CentOS) and PHP 5.3.6 I’ve received next result:
So, we can watch the difference between http parameter pollution and http headers pollution for Apache/PHP. In case of HPP with combo PHP/Apache appears only last occurrence of user input in request, and in HHP there is another situation, in which we ca see input concatenation with comma sign. This fact can be very usefull for filters bypassing in some cases.
UPDATE: It can be used for application flow manipulation (not only). For example in cases, in which length of each headers (as element of headers array) checks separately for each header, but subsequently final header used in a way presented on the image above. I didn’t look source codes of Apache closely, but possibly it may be usefull for bypassing latest patch for CVE2012-0053 vulnerability, in which length of value of cookie header (each? final?) must to be less than 80 chars.
P.S. Probably, the reason is depended of the web-server version, but may be this is the same thing exists in older versions.
Acunetix developers provide possibility to take a part in Acunetix WVS 8 beta-testing program.
For taking a part in program you must send a mail to firstname.lastname@example.org and after that confirm that you are into web security.
Thanks to Acunetix’s developers team for provided possibility – guys, you make a real usefull and good quality software!