back to article Apache developers scramble to fix proxy flaw

Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems. The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit ... but it is nonetheless nasty. A possible patch for …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Wrong on many counts..

    1. This only applies to apache servers that are being used as a reverse proxy.

    2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule.

    3. If the above 2 are true then exploiting it is trivial.

    1. Anonymous Hero
      Mushroom

      @condiment

      What part of the article did you not read:

      1. "This only applies to apache servers that are being used as a reverse proxy" - yep that is explained clearly in the article.

      2. Though not described in the article, there is no need to because it is adequately explained in the link to the Qualys site. Why re-hash, in fact there is nothing in the article to be "wrong" about.

      3. Oh aye, big man speak. Come on then, put your money where your mouth is and show us your skillz and pwning.

      Sigh,

    2. Vic

      > 2. The admin must have poorly crafted a rewrite rule and a ProxyPassMatch rule

      Indeed.

      Whilst this is rather interesting and slightly embarrassing, I doubt it'll have much impact - I don't think I've ever seen rewrite rules like that on any production server...

      Vic.

  2. Frederic Bloggs
    Pirate

    The alternative is...

    To not use Apache at all.

    It may still be the world's most popular web server but that has not stopped it being the unix world's security hole of choice. It isn't as if it's even a particularly good web server (compared to what is available these days). Just count the number of security issues per year we have with it.

    And, whilst I am in rant mode: why do people insist on running webservers on privileged ports when it is the work of moments to stick them on some secret port numbers and NAT the requests from 80/443 to them?

    1. Destroy All Monsters Silver badge
      Headmaster

      "why do people insist on running webservers on privileged ports"

      I recommend you switch your webserver off RIGHT NOW and STEP BACK FROM THE COMPUTER.

      Also, what _is_ available these days?

      1. Anonymous Coward
        Facepalm

        RE: Also, what _is_ available these days?

        I think he's implying we all use IIS.

        Sigh ...

    2. Tim Bates
      WTF?

      Privileged ports

      WTF would it achieve to run it on a non-standard port and then remap it at a NAT level?

  3. Tomato42
    Facepalm

    Stupid?

    I'd say, that anyone that puts "RewriteRule ^(.*) http://10.40.2.159$1" together with "ProxyPassMatch ^(.*) http://10.40.2.159$1" in their httpd.conf is responsible for their own stupidity...

  4. Anonymous Coward
    Anonymous Coward

    Old News

    Wasn't this "exploit" (lets face it, this isn't a fucking exploit, it's a very bad example of a sysadmin error. It's like saying "I accidentally left the root password blank and set PermitRootLogin yes" and calling it security hole with ssh) reported some months ago?

    We already did the "lets just double check" request completed on some of our older apache boxes and found several of these rules I guess my predecessors weren't terribly clever.

    While you can scoff at the stupidity of others (I certainly did), there are some out there.

    Best to doublecheck.

    1. Tim Bates

      Stupid in a hurry...

      It's also very easy to make stupid config mistakes when in a hurry, especially where the box in question isn't planned (at the time) to be a production box.

      Now who here can honestly say they've never done something stupid in a config?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020