| Internal Network Access Allowed by Unpatched Apache Flaw |
|
|
|
|
Security researcher reveals how to bypass older patch for an Apache reverse proxy vulnerability
IDG News Service - A yet-to-be-patched flaw discovered in the Apache HTTP sever allows attackers to access protected resources on internal networks if some rewrite rules are nit refined properly.
The susceptibility affects Apache installation that operate in reverse proxy mode, a type of configuration used for balancing, caching and other operations that involve the distribution of resources over multiple servers.
Server administrators use specialized modules like mod_roxy and mod_rewrite in order to set up Apache HTTPD.
Qualys security researchers were warned that if certain rules are incorrectly configured, attackers can trick servers into performing unauthorized requests to access internal resources.
Back in October, a vulnerability that allowed similar attacks was addressed so the problem isn't new anymore. However, while reviewing the patch for it, Qualys researcher Prutha Parikh realized that it can be bypassed due to a bug in the procedure from UR (Uniform Resource Locator) scheme stripping. The scheme is the URI part that comes before the "." character, such as ftp, http or file.
One significant common rewrite and proxying rule is "^(.*) http://internal_host. However, if this is used and the server receives, part is stripped and the rest is appended to http://internal_host in order to forward it internally.
The problem is that in the case, the remaining part is ".port", therefore transforming the forwarded request into http://internal_host:port, an unintended behaviour that can result in the exposure of a protected resource.
To mitigate the problem, server administrators should add a forward slash before $1 in the rewrite rule, the correct form being "^(.*) http://internal_host/$1", Parikh said.
Apache developers are currently discussing the best method to fix the problem. A possibility would be to strengthen the previous patch in the server code i n order to reject such requests, however, there is no certainty that other bypass methods won't be discovered.
"We could try to improve that fix, but I think it would be simpler to change the translate_name hooks in the mod_proxy and mod_rewrite to enforce the requirement in the 'right' place," said Red Hat senior software engineer Joe Orton on the Apache dev mailing list. He proposed a patch that is currently being reviewed by other developers.
|
| < Prev | Next > |
|---|
