further proxy/rewrite URL validation security issue

Martin Wilke miwi at FreeBSD.org
Mon Nov 28 17:35:55 UTC 2011

On 11/28/2011 16:47, Jeremy Chadwick wrote:
> On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote:
>> can someone please have a look here,
>> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2
>> - martin
> As was analysed by many people on Slashdot:
> http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access
> 1. you have to be using reverse proxy mode
> 2. you have to have misconfigured rewrite rules
> 3. you have to actually have some internal resources that are private
> 4. you have to be attacked by somebody, who knows how to access these private resources
> 5. they have to do some thing with those resources (perhaps just read)
> 6. you have to actually care that all of this just happened
> Though it's still something that should be fixed, it is not "oh my god
> this is huge/major/gigantic".  The way it's being handled by news sites
> and so on makes it sound drastic.
> For the workaround, look very closely at the "proper" ruleset at the
> bottom -- note the extra slash:
> https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue

Hi Jeremy,

Thx for the explanation :).

- Martin

With best Regards,
         Martin Wilke (miwi_(at)_FreeBSD.org)

Mess with the Best, Die like the Rest

More information about the freebsd-apache mailing list