Please enter your username below and press the send button.A password reset link will be sent to you.
If you are unable to access the email address originally associated with your Delicious account, we recommend creating a new account.
Recently Saved by radix33 on January 31, 2012
First saved by chibchombia on November 30, 2011
Today Apache acknowledged another reverse proxy issue (CVE-2011-4317) which I discovered while creating a QualysGuard vulnerability signature for an older problem CVE-2011-3368. Depending on the reverse proxy configuration, the vulnerability could allow access to internal systems from the Internet.
While reviewing the patch for the older issue CVE-2011-3368, it appeared that it was still possible to make use of a crafted request that could exploit a fully patched Apache Web Server (Apache 2.2.21 with CVE-2011-3368 patch applied) to allow access to internal systems if the reverse proxy rules are configured incorrectly. I submitted an advisory and proof of concept to Apache and Apache made the issue public today.
For a good description of the older CVE-2011-3368 issue as well as how a reverse proxy works please check the excellent blog post by Context.
Here is a description of the new issue CVE-2011-4317 and its proof of concept.
Apache’s patch for CVE-2011-3368
The patch for CVE-2011-3368 (see Figure 1) is straight forward and self explanatory. The “server/protocol.c” file was modified. The patch looks at the request being sent and returns a HTTP 400 Response (Bad Request) if the URL does not begin with a forward slash “/”.
@@ -640,6 +640,25 @@
+ /* RFC 2616: + * Request-URI = "*" | absoluteURI | abs_path | authority
+ * + * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail