Saturday, November 26, 2011

Apache HTTP Server Reverse Proxy - CVE-2011-4317

Engineer from Qualys Security Labs discovered vulnerability in Apache HTTP Server Reverse Proxy/Rewrite URL Validation during creating vulnerability signature for CVE-2011-3368.

The weakness is caused due to the mod_proxy module, when configured in reverse proxy mode, incorrectly processing certain web requests. This can be exploited to send requests to an unintended server behind the proxy via a specially crafted URL.

Full Details with PoC
https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue

WorkAround:

Apache has not yet released a patch for this issue. Until a patch is release, configuring the reverse proxy rules correctly will prevent this issue from occurring. For example, in the above case, if the reverse proxy rules are configured as follows, the proof of concept will not work.

RewriteRule ^(.*) http://10.40.2.159/$1
ProxyPassMatch ^(.*) http://10.40.2.159/$1