further proxy/rewrite URL validation security issue
Martin Wilke
miwi at FreeBSD.org
Mon Nov 28 17:35:55 UTC 2011
On 11/28/2011 16:47, Jeremy Chadwick wrote:
> On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote:
>> can someone please have a look here,
>>
>> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2
>>
>> - martin
> As was analysed by many people on Slashdot:
>
> http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access
>
> 1. you have to be using reverse proxy mode
> 2. you have to have misconfigured rewrite rules
> 3. you have to actually have some internal resources that are private
> 4. you have to be attacked by somebody, who knows how to access these private resources
> 5. they have to do some thing with those resources (perhaps just read)
> 6. you have to actually care that all of this just happened
>
> Though it's still something that should be fixed, it is not "oh my god
> this is huge/major/gigantic". The way it's being handled by news sites
> and so on makes it sound drastic.
>
> For the workaround, look very closely at the "proper" ruleset at the
> bottom -- note the extra slash:
>
> https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue
>
Hi Jeremy,
Thx for the explanation :).
- Martin
--
+-----------------oOO--(_)--OOo-------------------------+
With best Regards,
Martin Wilke (miwi_(at)_FreeBSD.org)
Mess with the Best, Die like the Rest
More information about the freebsd-apache
mailing list