Date: Mon, 28 Nov 2011 08:47:29 -0800 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Martin Wilke <miwi@FreeBSD.org> Cc: freebsd-apache@FreeBSD.org Subject: Re: further proxy/rewrite URL validation security issue Message-ID: <20111128164729.GA8555@icarus.home.lan> In-Reply-To: <4ED4077D.4080308@gmail.com> References: <4ED4077D.4080308@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 28, 2011 at 10:13:17PM +0000, Martin Wilke wrote: > can someone please have a look here, > > http://marc.info/?l=apache-httpd-dev&m=132205829523882&w=2 > > - martin As was analysed by many people on Slashdot: http://apache.slashdot.org/story/11/11/28/0335213/apache-flaw-allows-internal-network-access 1. you have to be using reverse proxy mode 2. you have to have misconfigured rewrite rules 3. you have to actually have some internal resources that are private 4. you have to be attacked by somebody, who knows how to access these private resources 5. they have to do some thing with those resources (perhaps just read) 6. you have to actually care that all of this just happened Though it's still something that should be fixed, it is not "oh my god this is huge/major/gigantic". The way it's being handled by news sites and so on makes it sound drastic. For the workaround, look very closely at the "proper" ruleset at the bottom -- note the extra slash: https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111128164729.GA8555>