Policy —

Security flaw in Apache could allow attackers into internal networks

A gap in a recent patch to Apache's reverse proxy module allows attackers to …

A newly discovered flaw in Apache web servers could allow attackers to use servers configured as "reverse proxies" to gain access to or attack systems hidden from public view. The bug in Apache's reverse proxy mode only affects servers that have been configured incorrectly, but that error isn't an obvious one, since it doesn't interfere with normal operations. The flaw could be used by attackers to reach Web-enabled resources on other servers connected to the same network as the proxy.

Reverse proxies are Web servers configured to pass Web requests to other servers or resources transparently, providing access to resources on an internal network to Web users while making it appear that they reside on the server being accessed. They can be used to provide load balancing of requests to back-end applications, spreading requests out across multiple hidden servers, or as a way to protect potentially vulnerable Web applications from attack.

The security hole, discovered by Qualys Security Labs' Prutha Parikh, allows attackers using a specially crafted HTTP GET request to alter the universal resource indicator (URI) created by Apache's remote proxy module, diverting it from the destination set in rules and allowing the attacker to access other systems on the network.

The Apache community patched a nearly identical vulnerability in the remote proxy module in October. Parikh discovered the new gap while reviewing the patch for that vulnerability, which returned an error if the URL sent by the requester didn't begin with a forward slash. But the fix didn't address URIs with a "scheme"—those that use embedded usernames and passwords or specific port numbers to access resources. By using GET requests that fool the reverse proxy into passing URIs that alter the address with an appended TCP/IP port number, host name or IP address to the URI, an attacker could redirect where the request is sent within the network behind the proxy server. An attacker could conceivably use the hole to probe internal networks for other servers and gain access to services that are not protected by additional passwords.

Tthere's no patch immediately available, so the best course for many organizations is to check and change the configuration of Apache servers configured as reverse proxies (using the settings detailed in Parikh's blog, linked above). That may pose a problem for some websites, however, as it could change the URLs used to access applications.

Channel Ars Technica