From owner-freebsd-apache@FreeBSD.ORG Mon Nov 28 17:35:55 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06EDE106564A for ; Mon, 28 Nov 2011 17:35:55 +0000 (UTC) (envelope-from miwi.freebsd@googlemail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id B78908FC12 for ; Mon, 28 Nov 2011 17:35:54 +0000 (UTC) Received: by ghbg20 with SMTP id g20so6566847ghb.13 for ; Mon, 28 Nov 2011 09:35:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=sender:message-id:date:from:reply-to:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=kriQTyK4awsq3pvJFtAOagQ4fMlVhUVHoJZnK1a/q4c=; b=TOSIew4lzE+NE7bIYy3+sKVTW9l7tvNk+7mwWgWkzERaPABTUQUMA9i7ZggTsHL+Jv 3UeJ+fwCFUnCBIRWIvKqONFpukYXKvwiDP8m5n7JJd4jhZJqg2TCRRARXipw8a6n+wyq +mY4hypOQq9ZKdCOwTpiVh2Wus8BOl4kvo5sw= Received: by 10.50.47.201 with SMTP id f9mr50725622ign.18.1322499863650; Mon, 28 Nov 2011 09:04:23 -0800 (PST) Received: from yakim.homeunix.com ([175.143.228.155]) by mx.google.com with ESMTPS id eh34sm47887980ibb.5.2011.11.28.09.04.21 (version=SSLv3 cipher=OTHER); Mon, 28 Nov 2011 09:04:22 -0800 (PST) Sender: Martin Wilke Message-ID: <4ED42F57.9010003@FreeBSD.org> Date: Tue, 29 Nov 2011 01:03:19 +0000 From: Martin Wilke Organization: FreeBSD User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111110 Thunderbird/8.0 MIME-Version: 1.0 To: Jeremy Chadwick References: <4ED4077D.4080308@gmail.com> <20111128164729.GA8555@icarus.home.lan> In-Reply-To: <20111128164729.GA8555@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 28 Nov 2011 17:52:08 +0000 Cc: freebsd-apache@FreeBSD.org Subject: Re: further proxy/rewrite URL validation security issue X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: miwi@FreeBSD.org List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 17:35:55 -0000 On 11/28/2011 16:47, Jeremy Chadwick wrote: > On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote: >> can someone please have a look here, >> >> http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 >> >> - martin > As was analysed by many people on Slashdot: > > http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access > > 1. you have to be using reverse proxy mode > 2. you have to have misconfigured rewrite rules > 3. you have to actually have some internal resources that are private > 4. you have to be attacked by somebody, who knows how to access these private resources > 5. they have to do some thing with those resources (perhaps just read) > 6. you have to actually care that all of this just happened > > Though it's still something that should be fixed, it is not "oh my god > this is huge/major/gigantic". The way it's being handled by news sites > and so on makes it sound drastic. > > For the workaround, look very closely at the "proper" ruleset at the > bottom -- note the extra slash: > > https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue > Hi Jeremy, Thx for the explanation :). - Martin -- +-----------------oOO--(_)--OOo-------------------------+ With best Regards, Martin Wilke (miwi_(at)_FreeBSD.org) Mess with the Best, Die like the Rest