Attack on Apache server exposes firewalls, routers and more Maintainers of the open-source Apache webserver are warning that their HTTP daemon is vulnerable to exploits that expose internal servers to remote attackers who embed special commands in website addresses. The weakness in 1.3 and all 2.x versions of the Apache HTTP Server can be exploited only under certain conditions. For one …
"unauthorized access to a highly sensitive DMZ, or 'demilitarized zone' resources inside an organization"
That's why the term "demilitarized zone" is dangerous - people let it all hang out on that little perimeter network. Militarize that DMZ now - passwords, encryption, intrusion detection, all of it.
The scenario described may actually be a little far-fetched as a security hole. The configuration directives that open it are the kind of thing far more likely to be used in a 'loose' configuration - for example a mass virtual hosting situation - than in a high-security situation where wildcards would flag a warning.
The other version of the risk is that you inadvertently make the server capable of being used as an open proxy. Not a proxy that could be used by a regular browser, but rather a browser hacked to send HTTP requests crafted to include routing information to an arbitrary destination.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
