Apache reverse proxy flaw opens door to internal networks
Apache has confirmed the existence of a new reverse proxy vulnerability after it was discovered by Prutha Parikh, a security researcher with Qualys, while she was creating a vulnerability signature for QualysGuard.
“While reviewing the patch for the older issue CVE-2011-3368, it appeared that it was still possible to make use of a crafted request that could exploit a fully patched Apache Web Server (Apache 2.2.21 with CVE-2011-3368 patch applied) to allow access to internal systems if the reverse proxy rules are configured incorrectly,” she wrote in a blog post, and revealed the details and proof of concept code.
The publication has obviously been coordinated with Apache’s security team, which is still working on a fix for the vulnerability.
Referring to the fix for the older vulnerability, Red Hat software engineer Joe Orton commented on the Apache dev mailing list that Apache could try improve to improve it, but that he thinks it would be simpler to change the translate_name hooks in mod_proxy and mod_rewrite to enforce the requirement in the ‘right’ place.
In the meantime, Parikh has advised the use of a workaround which consists of a reconfiguration of the reverse proxy rules.