Wrong on many counts..
1. This only applies to apache servers that are being used as a reverse proxy.
2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule.
3. If the above 2 are true then exploiting it is trivial.
Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems. The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit ... but it is nonetheless nasty. A possible patch for …
What part of the article did you not read:
1. "This only applies to apache servers that are being used as a reverse proxy" - yep that is explained clearly in the article.
2. Though not described in the article, there is no need to because it is adequately explained in the link to the Qualys site. Why re-hash, in fact there is nothing in the article to be "wrong" about.
3. Oh aye, big man speak. Come on then, put your money where your mouth is and show us your skillz and pwning.
To not use Apache at all.
It may still be the world's most popular web server but that has not stopped it being the unix world's security hole of choice. It isn't as if it's even a particularly good web server (compared to what is available these days). Just count the number of security issues per year we have with it.
And, whilst I am in rant mode: why do people insist on running webservers on privileged ports when it is the work of moments to stick them on some secret port numbers and NAT the requests from 80/443 to them?
Wasn't this "exploit" (lets face it, this isn't a fucking exploit, it's a very bad example of a sysadmin error. It's like saying "I accidentally left the root password blank and set PermitRootLogin yes" and calling it security hole with ssh) reported some months ago?
We already did the "lets just double check" request completed on some of our older apache boxes and found several of these rules I guess my predecessors weren't terribly clever.
While you can scoff at the stupidity of others (I certainly did), there are some out there.
Best to doublecheck.
Biting the hand that feeds IT © 1998–2020