From owner-freebsd-apache@FreeBSD.ORG Mon Nov 28 16:47:31 2011 Return-Path: Delivered-To: freebsd-apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B09E8106566C for ; Mon, 28 Nov 2011 16:47:31 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta10.westchester.pa.mail.comcast.net (qmta10.westchester.pa.mail.comcast.net [76.96.62.17]) by mx1.freebsd.org (Postfix) with ESMTP id 5F7608FC1A for ; Mon, 28 Nov 2011 16:47:31 +0000 (UTC) Received: from omta15.westchester.pa.mail.comcast.net ([76.96.62.87]) by qmta10.westchester.pa.mail.comcast.net with comcast id 2col1i0031swQuc5AgnXGu; Mon, 28 Nov 2011 16:47:31 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta15.westchester.pa.mail.comcast.net with comcast id 2gnW1i00o1t3BNj3bgnX06; Mon, 28 Nov 2011 16:47:31 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 6A747102C1D; Mon, 28 Nov 2011 08:47:29 -0800 (PST) Date: Mon, 28 Nov 2011 08:47:29 -0800 From: Jeremy Chadwick To: Martin Wilke Message-ID: <20111128164729.GA8555@icarus.home.lan> References: <4ED4077D.4080308@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ED4077D.4080308@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-apache@FreeBSD.org Subject: Re: further proxy/rewrite URL validation security issue X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 16:47:31 -0000 On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote: > can someone please have a look here, > > http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 > > - martin As was analysed by many people on Slashdot: http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access 1. you have to be using reverse proxy mode 2. you have to have misconfigured rewrite rules 3. you have to actually have some internal resources that are private 4. you have to be attacked by somebody, who knows how to access these private resources 5. they have to do some thing with those resources (perhaps just read) 6. you have to actually care that all of this just happened Though it's still something that should be fixed, it is not "oh my god this is huge/major/gigantic". The way it's being handled by news sites and so on makes it sound drastic. For the workaround, look very closely at the "proper" ruleset at the bottom -- note the extra slash: https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |