The open source Apache HTTP Web Server is at risk from a reverse proxy flaw that is currently unpatched. The flaw was disclosed Qualys security researcher Purtha Parikh late last week and is related to a flaw that Apache first attempted to fix in October.
“While reviewing the patch for the older issue CVE-2011-3368, it appeared that it was still possible to make use of a crafted request that could exploit a fully patched Apache Web Server (Apache 2.2.21 with CVE-2011-3368 patch applied) to allow access to internal systems if the reverse proxy rules are configured incorrectly, Parikh reported.
Reverse proxies are commonly used for load balancing static and dynamic content across multiple internal Web servers in an organization. By design, a reverse proxy is supposed to help shield internal Web servers from external threats and direct access. The unpatched Apache flaw could enable an attacker to get unauthorized access to an improperly configured reverse proxy that could lead to an attack against the internal servers.
“If a malformed URL request with a scheme was constructed, it would still be possible to bypass security and gain access to systems on the internal server provided that the reverse proxy rules were incorrectly configured,” Parikh warned.
The improperly configured rules reside in the mod_proxy and mod_rewrite Apache modules. Apache developer Joe Orton noted in a mailing list posting that the same configurations that were at risk from the flaw Apache fixed in October are still at risk.
“These unfortunately do not get trapped in the request parsing trap added in r1179239, so result in an input to rewrite rule processing which does not match the URL-path grammar (i.e. does not start with “/”),” Orton wrote.
Orton has also proposed a new patch to Apache that fixes the default mod_proxy and mod_rewrite configuration rules. As of today, the patch is still being discussed by Apache developers.
While there is currently no generally available patch from Apache, Parikh noted that there is a work around for the issue. She suggests that Apache administrators correctly setup their reverse proxy rules to prevent the unauthorized access. For the proof of concept attack, the correctly configured rules that need to be changed are:
RewriteRule ^(.*) http://10.40.2.159/$1
ProxyPassMatch ^(.*) http://10.40.2.159/$1
The reverse proxy flaw is not the first zero day flaw to hit Apache this year. In August, the open source group was hit by the so-called, ‘Apache Killer’ flaw. The Apache Killer could have led to denial of service (DoS) attacks.
Though new Web servers like nginx have emerged on the scene in recent years, Apache continues to dominate the Web server market. The November Netcraft Web Server Survey reported that Apache currently hold 65 percent of the Web server market share.