Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems. The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit ... but it is nonetheless nasty. A possible patch for the …
Wrong on many counts..
1. This only applies to apache servers that are being used as a reverse proxy.
2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule.
3. If the above 2 are true then exploiting it is trivial.
What part of the article did you not read:
1. "This only applies to apache servers that are being used as a reverse proxy" - yep that is explained clearly in the article.
2. Though not described in the article, there is no need to because it is adequately explained in the link to the Qualys site. Why re-hash, in fact there is nothing in the article to be "wrong" about.
3. Oh aye, big man speak. Come on then, put your money where your mouth is and show us your skillz and pwning.
> 2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule
Whilst this is rather interesting and slightly embarrassing, I doubt it'll have much impact - I don't think I've ever seen rewrite rules like that on any production server...
The alternative is...
To not use Apache at all.
It may still be the world's most popular web server but that has not stopped it being the unix world's security hole of choice. It isn't as if it's even a particularly good web server (compared to what is available these days). Just count the number of security issues per year we have with it.
And, whilst I am in rant mode: why do people insist on running webservers on privileged ports when it is the work of moments to stick them on some secret port numbers and NAT the requests from 80/443 to them?
"why do people insist on running webservers on privileged ports"
I recommend you switch your webserver off RIGHT NOW and STEP BACK FROM THE COMPUTER.
Also, what _is_ available these days?
WTF would it achieve to run it on a non-standard port and then remap it at a NAT level?
RE: Also, what _is_ available these days?
I think he's implying we all use IIS.
I'd say, that anyone that puts "RewriteRule ^(.*) http://10.40.2.159$1" together with "ProxyPassMatch ^(.*) http://10.40.2.159$1" in their httpd.conf is responsible for their own stupidity...
Wasn't this "exploit" (lets face it, this isn't a fucking exploit, it's a very bad example of a sysadmin error. It's like saying "I accidentally left the root password blank and set PermitRootLogin yes" and calling it security hole with ssh) reported some months ago?
We already did the "lets just double check" request completed on some of our older apache boxes and found several of these rules I guess my predecessors weren't terribly clever.
While you can scoff at the stupidity of others (I certainly did), there are some out there.
Best to doublecheck.
Stupid in a hurry...
It's also very easy to make stupid config mistakes when in a hurry, especially where the box in question isn't planned (at the time) to be a production box.
Now who here can honestly say they've never done something stupid in a config?
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market