further proxy/rewrite URL validation security issue

Jeremy Chadwick freebsd at jdc.parodius.com
Mon Nov 28 16:47:31 UTC 2011

On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote:
> can someone please have a look here,
> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2
> - martin

As was analysed by many people on Slashdot:


1. you have to be using reverse proxy mode
2. you have to have misconfigured rewrite rules
3. you have to actually have some internal resources that are private
4. you have to be attacked by somebody, who knows how to access these private resources
5. they have to do some thing with those resources (perhaps just read)
6. you have to actually care that all of this just happened

Though it's still something that should be fixed, it is not "oh my god
this is huge/major/gigantic".  The way it's being handled by news sites
and so on makes it sound drastic.

For the workaround, look very closely at the "proper" ruleset at the
bottom -- note the extra slash:


| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |

More information about the freebsd-apache mailing list