An information disclosure flaw was found in the way mod_proxy_ajp (AJP routines module for Apache proxy) and mod_proxy_http (HTTP routines module for Apache proxy) of httpd, the Apache HTTP server, performed management of connections to the back end server. When an error occurred, relevant connection to the back end server was not closed properly as expected. A remote attacker could issue a specially-crafted mod_proxy_ajp / mod_proxy_http request that, when processed could lead to information disclosure. Upstream bug report: [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=53727 Relevant upstream patch: [2] http://svn.apache.org/viewvc?view=revision&revision=1374297 Upstream security page (covering also this issue): [3] http://httpd.apache.org/security/vulnerabilities_24.html References: [4] http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E [5] http://www.apache.org/dist/httpd/CHANGES_2.4.3
Reproducer from upstream bug (untested): 1. Create a simple web app and serve it with ajp 2. In the web app, create a normal page (with .js, .css, and images), then craft a slow page that only returns a response after 1 second 3. Setup a reversed proxy to the web app with mod_proxy_ajp (a plain ProxyPass line) 4. Enable mod_deflate for the usual content types 5. Open Firefox, go to about:config, and set network.http.accept-encoding from "gzip, deflate" to an empty string 6. Restart Firefox, clear cache 7. With Firefox, access the normal page and let it load to completion, then access the slow page and press "Ctrl-W" to close the tab before the response is returned 8. Open Chrome, clear cache 9. With Chrome, access the normal page and see things go haywire, e.g. a request for a .js file will receive a response of image/png
This issue did NOT affect the versions of the httpd package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue did NOT affect the version of the httpd package, as shipped with JBoss Enterprise Web Server 1. -- This issue did NOT affect the version of the httpd package, as shipped with JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0). -- This issue did NOT affect the versions of the httpd package, as shipped with Fedora release of 16 and 17.
Statement: Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4, 5, and 6, JBoss Enterprise Web Server 1, and JBoss Enterprise Application Server 6.
The httpd 2.2.x versions are not affected by this issue because the 'close' member (flag handling the connection close) in the underlying 'proxy_conn_rec' structure is implemented as plain C integer yet, rather than a bitfield.