The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: access to another server via mod_proxy

Synthesis of the vulnerability 

An attacker can use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Vulnerable software: Apache httpd, Debian, BIG-IP Hardware, TMOS, OpenView NNM, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity of this announce: 2/4.
Creation date: 25/11/2011.
Références of this computer vulnerability: BID-50802, c03231301, CVE-2011-4317, DSA-2405-1, HPSBMU02748, JSA10585, MDVSA-2012:003, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0248-1, RHSA-2012:0128-01, SOL15889, SSA:2012-041-01, SSRT100772, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11179.

Description of the vulnerability 

The mod_proxy module is used to configure Apache httpd as a proxy, in order to access to an internal web server. Its resources are voluntarily public.

However, the VIGILANCE-VUL-11041 vulnerability of mod_proxy was not fully corrected.

Indeed, the case where the query has a scheme ("something:endOfQuery") was not corrected. The scheme ("something:") is removed, and the end of query ("endOfQuery") is concatenated to the rewrite rule.

An attacker can therefore still use a malicious HTTP query on Apache httpd, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness alert impacts software or systems such as Apache httpd, Debian, BIG-IP Hardware, TMOS, OpenView NNM, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this weakness bulletin.

Solutions for this threat 

Apache httpd: version 2.2.22.
The version 2.2.22 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: patch for mod_proxy.
A patch is available in information sources.

Apache httpd: workaround for mod_proxy.
A workaround is to ensure that rewrite rules contains a '/' after the domain name. For example:
  RewriteRule ... http://images.example.com$1 [P]
  ProxyPassMatch ... http://images.example.com$1
has to be rewritten to:
  RewriteRule /... http://images.example.com/$1 [P]
  ProxyPassMatch /... http://images.example.com/$1

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.9-10+lenny12
  apache2 2.2.16-6+squeeze6

F5 BIG-IP: solution for Apache.
The solution is indicated in information sources.

HP OV NNM: hotfix SSRT100772.
Hotfix SSRT100772 is available.

Junos Space: version 13.1R1.6.
The version 13.1R1.6 is fixed.

Mandriva: new apache packages.
New packages are available:
  apache-2.2.15-3.6mdv2010.2
  apache-2.2.21-0.4-mdv2011.0
  apache-2.2.9-12.15mdvmes5.2

openSUSE 11.4: new apache2 packages.
New packages are available:
  apache2-2.2.17-4.64.1

openSUSE 12.1: new apache2 packages.
New packages are available:
  apache2-2.2.21-3.9.1

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 11.3 : apache2-2.2.15-4.9.1
  openSUSE 11.4 : apache2-2.2.17-4.11.1

RHEL 6.2: new httpd packages.
New packages are available:
  httpd-2.2.15-15.el6_2.1

Slackware: new httpd packages.
New packages are available:
  httpd-2.2.22-i486-1_slack12.0
  httpd-2.2.22-i486-1_slack12.1
  httpd-2.2.22-i486-1_slack13.0
  httpd-2.2.22-i486-1_slack13.1
  httpd-2.2.22-i486-1_slack13.37

Solaris 10: patch for Apache HTTP Server 2.
A patch is available:
  Solaris 10 :
    SPARC: 120543-28
    X86: 120544-28

Solaris 11: patch 11/11 SRU 6.6.
A patch is available:
  11/11 SRU 6.6 :
  https://support.oracle.com/CSP/main/article?type=NOT&id=1448432.1

Solaris 8, 9, 10: patch for Apache HTTP Server 1.3.
A patch is available:
  Solaris 8 :
   SPARC: 116973-10
   X86: 116974-10
  Solaris 9 :
    SPARC: 113146-15
    X86: 114145-14
  Solaris 10 :
    SPARC: 122911-30
    X86: 122912-30

SUSE LE 10 SP4: new apache2 packages.
New packages are available:
  apache2-2.2.3-16.42.2

SUSE LE 11: new apache2 packages.
New packages are available:
  apache2-2.2.12-1.28.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.