07 October 2011
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1010 Apache HTTP Server Security Advisory - mod_proxy reverse proxy exposure 7 October 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mod_proxy Publisher: Apache Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-3368 Comment: Apache has provided a patch plus a workaround, and the vulnerability is fixed in version 2.2.22-dev and 2.0.65-dev, version 1.3 will not be patched. More information is available at: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://www.contextis.com/research/blog/reverseproxybypass/ - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache HTTP Server Security Advisory ==================================== Title: mod_proxy reverse proxy exposure CVE: CVE-2011-3368 Date: 20111005 Product: Apache HTTP Server Versions: httpd 1.3 all versions, httpd 2.x all versions Description: ============ An exposure was reported affecting the use of Apache HTTP Server in reverse proxy mode. We would like to thank Context Information Security Ltd for reporting this issue to us. When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests. The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL. For future releases of the Apache HTTP Server, the software will validate the request URI, correcting this specific vulnerability. The documentation has been updated to reflect the more general risks with pattern matching in a reverse proxy configuration. Details: ======== A configuration like one of the following examples: RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2 could result in an exposure of internal servers. A request of the form: GET @other.example.com/something.png HTTP/1.1 would get translated to a target of: http://firstname.lastname@example.org/something.png This will cause the proxy to connect to the hostname "other.example.com", as the "images.example.com@" segment would be treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those expected, which could be a security exposure in some circumstances. The request-URI string in this example, "@other.example.com/something.png", is not valid according to the HTTP specification, since it neither an absolute URI ("http://example.com/path") nor an absolute path ("/path"). For future releases, the server has been patched to reject such requests, instead returning a "400 Bad Request" error. Actions: ======== Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. Affected users can update their configuration, or apply the patch from: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ For example, the above RewriteRule could be changed to: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P] to ensure the pattern only matches against paths with a leading "/". - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6MZZAACgkQR/aWnQ5EzwxdfQCg0yX+OplatMPQcweRneRmh5Xp 5sEAoLooi9H4LW12oPgStNbY2wtyQrYP =8qjg - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTo5S7e4yVqjM2NGpAQKW9hAAsSBfePp/Ki4+LR0Nw+hfEVlTnwp+AN5V JmTf171ys0cWUcD6oOkgufGhrxMN88ivv+RBFLp+fQdfdUEChsxw4ZHddpqeBQpV wqzUDohLXO+dbYiOlZzRn1Y/UGqABo1MbAv7I01aXrA3RUwF25Dt3mGEdBRxqTdi 6iyXG1u8s2Ii41H7uZNXZiALfh1EHGS23hOIO6/9/aPiM/rBdBFCFC/38mA7TkIA NmCcrvH0aRumC0BZtEAi538NgDRI9l/8jNMyC2mEnaBKZXKyn6aA0qD7Q+YccuLj RVbFDIEjNGActRAdBpirq1QysL2Qb1t03VUML2zQxGAaLFLBHgTJ/3ybe7BouErA JtmgA4BfrR3vfIkc0+iTskz1SKlxglXKm+zFRk2LprcGM6Fa82s2ILguufh/7DOK XX2qXbn2K3izEl3yvvdXNG2Jv99uT9Gx4wfynU+pUBhTVjNd7yB/tGkh/Us0vKsD M90SRZrbY4FgNtqI0AAWiHQIFaUCRo0sWZzjx0uZrhMk7ckx0x89rRSu481XuZ5h donyakaomScS5SSdNdOoOyfVs61HDWXWeZ0DbtjvGr5foalCB/3LfGPSbddHF5TA N33LiRh60AKIWRYn5V4ekeCXuSHu0CbYg0Co46sbsa2KpEelmhPqL6MKdizWQG++ 9SJognloQYE= =SbKC -----END PGP SIGNATURE-----