Unpatched Apache Reverse Proxy Flaw Allows Access to Internal Network

A yet-to-be-patched blemish discovered in the Apache HTTP server allows attackers to entree protected resources on the internal network if close to rewrite rules are not defined properly.

The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for incumbrance balancing, caching and other operations that involve the dispersion of resources over multiple servers.

In order to set up Apache HTTPD to run as a reverse proxy, server administrators use specialized modules like mod_proxy and mod_rewrite.

Security researchers from Qualys warn that if positive rules are not configured correctly, attackers can trick servers into performing unauthorized requests to access internal resources.

The problem isn't new and a vulnerability that allowed similar attacks was addressed back in October. However, while reviewing the temporary hookup for it, Qualys researcher Prutha Parikh realized that it can be bypassed due to a bug in the process for URI (Uniform Resource Identifier) connive husking. The scheme is the URI part that comes before the colon ":" character, such Eastern Samoa http, ftp OR file.

One comparatively common rewrite and proxying rule is "^(.*) http://internal_host$1", which redirects the request to the machine internal_host. However, if this is used and the server receives, for case, a request for "server::larboard" (with 2 colons), the "emcee:" part is stripped and the rest is appended to http://internal_host in rules of order to forward information technology internally.

The problem is that in this case, the unexpended partly is ":port", therefore transforming the forwarded request into http://internal_host:embrasure, an unintended behavior that can result in the exposure of a protected resource.

In order to mitigate the problem server administrators should ADHD a forward slash before $1 in the rewrite rule, the correct form being "^(.*) http://internal_host/$1", Parikh aforesaid.

The Apache developers are witting of the problem and are currently discussing the high-grade method of fixing it. One possibility would be to fortify the previous patch in the server code in order to eliminate such requests, however, there's no certainty that new ring road methods won't be discovered.

"We could taste improve that fix, but I think it would be simpler to change the translate_name hooks in mod_proxy and mod_rewrite to enforce the requirement in the 'mighty' place," said Red Hat senior package engineer Joe Orton happening the Apache dev posting inclination. Orton proposed a patch that is currently being reviewed past the other developers.

Source: https://www.pcworld.com/article/478545/unpatched_apache_reverse_proxy_flaw_allows_access_to_internal_network.html

Posted by: burkhalternobs1952.blogspot.com