Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems. The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit ... but it is nonetheless nasty. A possible patch for …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 24th November 2011 17:31 GMT Anonymous Coward

Wrong on many counts..

1. This only applies to apache servers that are being used as a reverse proxy.

2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule.

3. If the above 2 are true then exploiting it is trivial.

2 4
1. Thursday 24th November 2011 20:35 GMT Anonymous Hero
  
  @condiment
  
  What part of the article did you not read:
  
  1. "This only applies to apache servers that are being used as a reverse proxy" - yep that is explained clearly in the article.
  
  2. Though not described in the article, there is no need to because it is adequately explained in the link to the Qualys site. Why re-hash, in fact there is nothing in the article to be "wrong" about.
  
  3. Oh aye, big man speak. Come on then, put your money where your mouth is and show us your skillz and pwning.
  
  Sigh,
  
  3 1
2. Thursday 24th November 2011 20:36 GMT Vic
  
  > 2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule
  
  Indeed.
  
  Whilst this is rather interesting and slightly embarrassing, I doubt it'll have much impact - I don't think I've ever seen rewrite rules like that on any production server...
  
  Vic.
  
  1 1
Thursday 24th November 2011 20:34 GMT Frederic Bloggs

The alternative is...

To not use Apache at all.

It may still be the world's most popular web server but that has not stopped it being the unix world's security hole of choice. It isn't as if it's even a particularly good web server (compared to what is available these days). Just count the number of security issues per year we have with it.

And, whilst I am in rant mode: why do people insist on running webservers on privileged ports when it is the work of moments to stick them on some secret port numbers and NAT the requests from 80/443 to them?

0 7
1. Friday 25th November 2011 08:43 GMT Destroy All Monsters
  
  "why do people insist on running webservers on privileged ports"
  
  I recommend you switch your webserver off RIGHT NOW and STEP BACK FROM THE COMPUTER.
  
  Also, what _is_ available these days?
  
  1 0
  1. Friday 25th November 2011 12:24 GMT Anonymous Coward
    
    RE: Also, what _is_ available these days?
    
    I think he's implying we all use IIS.
    
    Sigh ...
    
    0 0
2. Friday 25th November 2011 09:06 GMT Tim Bates
  
  Privileged ports
  
  WTF would it achieve to run it on a non-standard port and then remap it at a NAT level?
  
  0 0
Thursday 24th November 2011 20:35 GMT Tomato42

Stupid?

I'd say, that anyone that puts "RewriteRule ^(.*) http://10.40.2.159$1" together with "ProxyPassMatch ^(.*) http://10.40.2.159$1" in their httpd.conf is responsible for their own stupidity...

3 0
Thursday 24th November 2011 21:36 GMT Anonymous Coward

Old News

Wasn't this "exploit" (lets face it, this isn't a fucking exploit, it's a very bad example of a sysadmin error. It's like saying "I accidentally left the root password blank and set PermitRootLogin yes" and calling it security hole with ssh) reported some months ago?

We already did the "lets just double check" request completed on some of our older apache boxes and found several of these rules I guess my predecessors weren't terribly clever.

While you can scoff at the stupidity of others (I certainly did), there are some out there.

Best to doublecheck.

1 0
1. Friday 25th November 2011 09:46 GMT Tim Bates
  
  Stupid in a hurry...
  
  It's also very easy to make stupid config mistakes when in a hurry, especially where the box in question isn't planned (at the time) to be a production box.
  
  Now who here can honestly say they've never done something stupid in a config?
  
  1 0