Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The Apache Software Foundation has squashed a reverse proxy flaw affecting its servers in which little more than a missing forward slash had exposed untold numbers of network devices and information to hackers.
Reverse proxies route external HTTP and HTTPS web requests to an internal web server. It is used in load balancing and to make multiple web servers at different paths appear as a single web interface.
Buggy Apache HTTP Servers in reverse proxy mode that omitted the forward slash could allow attackers to change HTTP requests. From there they could access sensitive resources including administration access for routers, web servers, firewalls and databases.
RewriteRule ^(.*) http://internalserver:80(add forward slash here)$1 [P]
Overnight the Apache Software Foundation patched the flaw discovered last month by UK based Context Information Security during a penetration test.
But Context Information Security research and development manager Michael Jordon said the flaw could affect other web servers.
“This latest vulnerability present is a potential back door to sensitive internal or DMZ systems but is totally avoidable if the reverse proxies are properly configured. “[We have] not investigated other web servers and proxies but it is reasonable to assume that the problem is more widespread,” he said.
"When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests,” Apache’s Joe Orton said.
“The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL.”
The fix forced Apache software to validate the request URL.
Context Information Security said the vulnerability could be mitigated by changing reverse proxy configurations to ensure that rewrite rules cannot be abused. It released a vulnerability tool to identify the bug.
Adding the forward slash ensures Apache does not interpret the domain and port parts of the request as a username and password, Jordan said.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.