further proxy/rewrite URL validation security issue
Jeremy Chadwick
freebsd at jdc.parodius.com
Mon Nov 28 16:47:31 UTC 2011
On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote:
> can someone please have a look here,
>
> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2
>
> - martin
As was analysed by many people on Slashdot:
http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access
1. you have to be using reverse proxy mode
2. you have to have misconfigured rewrite rules
3. you have to actually have some internal resources that are private
4. you have to be attacked by somebody, who knows how to access these private resources
5. they have to do some thing with those resources (perhaps just read)
6. you have to actually care that all of this just happened
Though it's still something that should be fixed, it is not "oh my god
this is huge/major/gigantic". The way it's being handled by news sites
and so on makes it sound drastic.
For the workaround, look very closely at the "proper" ruleset at the
bottom -- note the extra slash:
https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, US |
| Making life hard for others since 1977. PGP 4BD6C0CB |
More information about the freebsd-apache
mailing list