Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1010
Apache HTTP Server Security Advisory - mod_proxy reverse proxy exposure
7 October 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mod_proxy
Publisher: Apache
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3368
Comment: Apache has provided a patch plus a workaround, and the vulnerability
is fixed in version 2.2.22-dev and 2.0.65-dev, version 1.3 will not
be patched.
More information is available at:
http://httpd.apache.org/security/vulnerabilities_22.html
http://httpd.apache.org/security/vulnerabilities_20.html
http://www.contextis.com/research/blog/reverseproxybypass/
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTP Server Security Advisory
====================================
Title: mod_proxy reverse proxy exposure
CVE: CVE-2011-3368
Date: 20111005
Product: Apache HTTP Server
Versions: httpd 1.3 all versions, httpd 2.x all versions
Description:
============
An exposure was reported affecting the use of Apache HTTP Server in
reverse proxy mode. We would like to thank Context Information
Security Ltd for reporting this issue to us.
When using the RewriteRule or ProxyPassMatch directives to configure a
reverse proxy using a pattern match, it is possible to inadvertently
expose internal servers to remote users who send carefully crafted
requests. The server did not validate that the input to the pattern
match was a valid path string, so a pattern could expand to an
unintended target URL.
For future releases of the Apache HTTP Server, the software will
validate the request URI, correcting this specific vulnerability. The
documentation has been updated to reflect the more general risks with
pattern matching in a reverse proxy configuration.
Details:
========
A configuration like one of the following examples:
RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2
could result in an exposure of internal servers. A request of the form:
GET @other.example.com/something.png HTTP/1.1
would get translated to a target of:
http://images.example.com@other.example.com/something.png
This will cause the proxy to connect to the hostname
"other.example.com", as the "images.example.com@" segment would be
treated as user credentials when parsing the URL. This would allow a
remote attacker the ability to proxy to hosts other than those
expected, which could be a security exposure in some circumstances.
The request-URI string in this example,
"@other.example.com/something.png", is not valid according to the HTTP
specification, since it neither an absolute URI
("http://example.com/path") nor an absolute path ("/path"). For
future releases, the server has been patched to reject such requests,
instead returning a "400 Bad Request" error.
Actions:
========
Apache HTTPD users should examine their configuration files to determine
if they have used an insecure configuration for reverse proxying.
Affected users can update their configuration, or apply the patch from:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/
For example, the above RewriteRule could be changed to:
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]
to ensure the pattern only matches against paths with a leading "/".
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6MZZAACgkQR/aWnQ5EzwxdfQCg0yX+OplatMPQcweRneRmh5Xp
5sEAoLooi9H4LW12oPgStNbY2wtyQrYP
=8qjg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTo5S7e4yVqjM2NGpAQKW9hAAsSBfePp/Ki4+LR0Nw+hfEVlTnwp+AN5V
JmTf171ys0cWUcD6oOkgufGhrxMN88ivv+RBFLp+fQdfdUEChsxw4ZHddpqeBQpV
wqzUDohLXO+dbYiOlZzRn1Y/UGqABo1MbAv7I01aXrA3RUwF25Dt3mGEdBRxqTdi
6iyXG1u8s2Ii41H7uZNXZiALfh1EHGS23hOIO6/9/aPiM/rBdBFCFC/38mA7TkIA
NmCcrvH0aRumC0BZtEAi538NgDRI9l/8jNMyC2mEnaBKZXKyn6aA0qD7Q+YccuLj
RVbFDIEjNGActRAdBpirq1QysL2Qb1t03VUML2zQxGAaLFLBHgTJ/3ybe7BouErA
JtmgA4BfrR3vfIkc0+iTskz1SKlxglXKm+zFRk2LprcGM6Fa82s2ILguufh/7DOK
XX2qXbn2K3izEl3yvvdXNG2Jv99uT9Gx4wfynU+pUBhTVjNd7yB/tGkh/Us0vKsD
M90SRZrbY4FgNtqI0AAWiHQIFaUCRo0sWZzjx0uZrhMk7ckx0x89rRSu481XuZ5h
donyakaomScS5SSdNdOoOyfVs61HDWXWeZ0DbtjvGr5foalCB/3LfGPSbddHF5TA
N33LiRh60AKIWRYn5V4ekeCXuSHu0CbYg0Co46sbsa2KpEelmhPqL6MKdizWQG++
9SJognloQYE=
=SbKC
-----END PGP SIGNATURE-----