Feeds

back to article Apache developers scramble to fix proxy flaw

Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems. The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit ... but it is nonetheless nasty. A possible patch for the …

COMMENTS

This topic is closed for new posts.
Bronze badge

Wrong on many counts..

1. This only applies to apache servers that are being used as a reverse proxy.

2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule.

3. If the above 2 are true then exploiting it is trivial.

2
4
Mushroom

@condiment

What part of the article did you not read:

1. "This only applies to apache servers that are being used as a reverse proxy" - yep that is explained clearly in the article.

2. Though not described in the article, there is no need to because it is adequately explained in the link to the Qualys site. Why re-hash, in fact there is nothing in the article to be "wrong" about.

3. Oh aye, big man speak. Come on then, put your money where your mouth is and show us your skillz and pwning.

Sigh,

3
1
Vic
Silver badge

> 2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule

Indeed.

Whilst this is rather interesting and slightly embarrassing, I doubt it'll have much impact - I don't think I've ever seen rewrite rules like that on any production server...

Vic.

1
1
Pirate

The alternative is...

To not use Apache at all.

It may still be the world's most popular web server but that has not stopped it being the unix world's security hole of choice. It isn't as if it's even a particularly good web server (compared to what is available these days). Just count the number of security issues per year we have with it.

And, whilst I am in rant mode: why do people insist on running webservers on privileged ports when it is the work of moments to stick them on some secret port numbers and NAT the requests from 80/443 to them?

0
7
Silver badge
Headmaster

"why do people insist on running webservers on privileged ports"

I recommend you switch your webserver off RIGHT NOW and STEP BACK FROM THE COMPUTER.

Also, what _is_ available these days?

1
0
WTF?

Privileged ports

WTF would it achieve to run it on a non-standard port and then remap it at a NAT level?

0
0
Facepalm

RE: Also, what _is_ available these days?

I think he's implying we all use IIS.

Sigh ...

0
0
Bronze badge
Facepalm

Stupid?

I'd say, that anyone that puts "RewriteRule ^(.*) http://10.40.2.159$1" together with "ProxyPassMatch ^(.*) http://10.40.2.159$1" in their httpd.conf is responsible for their own stupidity...

3
0
Anonymous Coward

Old News

Wasn't this "exploit" (lets face it, this isn't a fucking exploit, it's a very bad example of a sysadmin error. It's like saying "I accidentally left the root password blank and set PermitRootLogin yes" and calling it security hole with ssh) reported some months ago?

We already did the "lets just double check" request completed on some of our older apache boxes and found several of these rules I guess my predecessors weren't terribly clever.

While you can scoff at the stupidity of others (I certainly did), there are some out there.

Best to doublecheck.

1
0

Stupid in a hurry...

It's also very easy to make stupid config mistakes when in a hurry, especially where the box in question isn't planned (at the time) to be a production box.

Now who here can honestly say they've never done something stupid in a config?

1
0
This topic is closed for new posts.