Date: Tue, 29 Nov 2011 01:03:19 +0000 From: Martin Wilke <miwi@FreeBSD.org> To: Jeremy Chadwick <freebsd@jdc.parodius.com> Cc: freebsd-apache@FreeBSD.org Subject: Re: further proxy/rewrite URL validation security issue Message-ID: <4ED42F57.9010003@FreeBSD.org> In-Reply-To: <20111128164729.GA8555@icarus.home.lan> References: <4ED4077D.4080308@gmail.com> <20111128164729.GA8555@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/28/2011 16:47, Jeremy Chadwick wrote: > On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote: >> can someone please have a look here, >> >> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 >> >> - martin > As was analysed by many people on Slashdot: > > http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access > > 1. you have to be using reverse proxy mode > 2. you have to have misconfigured rewrite rules > 3. you have to actually have some internal resources that are private > 4. you have to be attacked by somebody, who knows how to access these private resources > 5. they have to do some thing with those resources (perhaps just read) > 6. you have to actually care that all of this just happened > > Though it's still something that should be fixed, it is not "oh my god > this is huge/major/gigantic". The way it's being handled by news sites > and so on makes it sound drastic. > > For the workaround, look very closely at the "proper" ruleset at the > bottom -- note the extra slash: > > https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue > Hi Jeremy, Thx for the explanation :). - Martin -- +-----------------oOO--(_)--OOo-------------------------+ With best Regards, Martin Wilke (miwi_(at)_FreeBSD.org) Mess with the Best, Die like the Rest
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED42F57.9010003>