Unpatched Apache reverse proxy flaw allows access to internal network

Security researcher reveals how to bypass older patch for an Apache reverse proxy vulnerability

A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly.

The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers.

In order to set up Apache HTTPD to run as a reverse proxy, server administrators use specialized modules like mod_proxy and mod_rewrite.

Security researchers from Qualys warn that if certain rules are not configured correctly, attackers can trick servers into performing unauthorized requests to access internal resources.

The problem isn't new and a vulnerability that allowed similar attacks was addressed back in October. However, while reviewing the patch for it, Qualys researcher Prutha Parikh realized that it can be bypassed due to a bug in the procedure for URI (Uniform Resource Identifier) scheme stripping. The scheme is the URI part that comes before the colon ":" character, such as http, ftp or file.

One relatively common rewrite and proxying rule is "^(.*) http://internal_host$1", which redirects the request to the machine internal_host. However, if this is used and the server receives, for example, a request for "host::port" (with two colons), the "host:" part is stripped and the rest is appended to http://internal_host in order to forward it internally.

The problem is that in this case, the remaining part is ":port", therefore transforming the forwarded request into http://internal_host:port, an unintended behavior that can result in the exposure of a protected resource.

In order to mitigate the problem server administrators should add a forward slash before $1 in the rewrite rule, the correct form being "^(.*) http://internal_host/$1", Parikh said.

The Apache developers are aware of the problem and are currently discussing the best method of fixing it. One possibility would be to strengthen the previous patch in the server code in order to reject such requests, however, there's no certainty that other bypass methods won't be discovered.

"We could try improve that fix, but I think it would be simpler to change the translate_name hooks in mod_proxy and mod_rewrite to enforce the requirement in the 'right' place," said Red Hat senior software engineer Joe Orton on the Apache dev mailing list. Orton proposed a patch that is currently being reviewed by the other developers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetservicessoftwareWeb serverspatchesHostedExploits / vulnerabilitiesApache Foundation

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?