Maintainers of the open-source Apache webserver are warning that their HTTP daemon is vulnerable to exploits that expose internal servers to remote attackers who embed special commands in website addresses. The weakness in 1.3 and all 2.x versions of the Apache HTTP Server can be exploited only under certain conditions. For one …
What's in a word?
"unauthorized access to a highly sensitive DMZ, or 'demilitarized zone' resources inside an organization"
That's why the term "demilitarized zone" is dangerous - people let it all hang out on that little perimeter network. Militarize that DMZ now - passwords, encryption, intrusion detection, all of it.
The scenario described may actually be a little far-fetched as a security hole. The configuration directives that open it are the kind of thing far more likely to be used in a 'loose' configuration - for example a mass virtual hosting situation - than in a high-security situation where wildcards would flag a warning.
The other version of the risk is that you inadvertently make the server capable of being used as an open proxy. Not a proxy that could be used by a regular browser, but rather a browser hacked to send HTTP requests crafted to include routing information to an arbitrary destination.
You say this like mass virtual hosting servers are uncommon. I work in the hosting industry. It's highly common.
Apache as a reverse proxy?
Surely all the cool kids will be using nginx or lighttpd or perlbal? Apache seems like a curious choice here.
If you configure your webserver poorly, it might backfire on you.
...but EVERYONE knows Open Source is immune from viruses, trojans, backdoors, bugs...etc...etc.
So why worry?
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Boffins say they've got Lithium batteries the wrong way around
- Game Theory Half a BILLION in the making: Bungie's Destiny reviewed
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer