RMDG partner and independent security consultancy, "Context Information Security" has made CPNI Response aware of a security vulnerability which could potentially allow an attacker to gain full internal access to a network from the internet. The technique exploits insecurely configured reverse web proxies to gain access to internal/DMZ systems. This attack is based on an Apache web server which is using "mod_rewrite" to proxy web requests internally. Other proxies may suffer from this issue. The vulnerability occurs if the Apache configuration file is configured like this: RewriteRule ^(.*) http://internalserver:80$1 [P] As opposed to: RewriteRule ^(.*) http://internalserver:80/$1 [P] It is important for readers to review their reverse proxy configurations to ensure that the rewrite rules are securely configured and cannot be abused in such a way that they can be used to compromise internal systems.
Part of the problem is that httpd documentation was giving a bad example, that is probably going to get corrected in future upstream releases: http://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_p RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
This flaw is now public, and has been fixed in svn: http://svn.apache.org/viewvc?view=revision&revision=1179239 The full upstream advisory is as follows (noted because it contains mitigation information): Apache HTTP Server Security Advisory ==================================== Title: mod_proxy reverse proxy exposure CVE: CVE-2011-3368 Date: 20111005 Product: Apache HTTP Server Versions: httpd 1.3 all versions, httpd 2.x all versions Description: ============ An exposure was reported affecting the use of Apache HTTP Server in reverse proxy mode. We would like to thank Context Information Security Ltd for reporting this issue to us. When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests. The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL. For future releases of the Apache HTTP Server, the software will validate the request URI, correcting this specific vulnerability. The documentation has been updated to reflect the more general risks with pattern matching in a reverse proxy configuration. Details: ======== A configuration like one of the following examples: RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2 could result in an exposure of internal servers. A request of the form: GET @other.example.com/something.png HTTP/1.1 would get translated to a target of: http://images.example.com@other.example.com/something.png This will cause the proxy to connect to the hostname "other.example.com", as the "images.example.com@" segment would be treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those expected, which could be a security exposure in some circumstances. The request-URI string in this example, "@other.example.com/something.png", is not valid according to the HTTP specification, since it neither an absolute URI ("http://example.com/path") nor an absolute path ("/path"). For future releases, the server has been patched to reject such requests, instead returning a "400 Bad Request" error. Actions: ======== Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. Affected users can update their configuration, or apply the patch from: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ For example, the above RewriteRule could be changed to: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P] to ensure the pattern only matches against paths with a leading "/".
Created httpd tracking bugs for this issue Affects: fedora-all [bug 743653]
(In reply to comment #1) > Part of the problem is that httpd documentation was giving a bad example, that > is probably going to get corrected in future upstream releases: > > http://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_p > RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] The example was changed to: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P] via: http://svn.apache.org/viewvc?view=revision&revision=1179283
External References: http://www.contextis.com/research/blog/reverseproxybypass/
Acknowledgement: Red Hat would like to thank Context Information Security for reporting this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2011:1392 https://rhn.redhat.com/errata/RHSA-2011-1392.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1391 https://rhn.redhat.com/errata/RHSA-2011-1391.html
The upstream fix for this issue is here: http://svn.apache.org/viewvc?view=revision&revision=1179239 However that fix is insufficient as it does not handle HTTP 0.9 style requests (as noted via https://bugzilla.novell.com/show_bug.cgi?id=722545#c15). The additional fix to handle HTTP 0.9 requests is here: http://svn.apache.org/viewvc?view=revision&revision=1188745
Sorry, I didn't realize we had already filed a bug for the incomplete fix (bug #752080).
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 Via RHSA-2012:0543 https://rhn.redhat.com/errata/RHSA-2012-0543.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0542 https://rhn.redhat.com/errata/RHSA-2012-0542.html