Security experts at Context have discovered a hole in the Apache web server that allows remote attackers to access internal servers. The mod_rewrite rewrite engine ensures that requests are distributed across different servers according to definable rules, for example, in order to balance loads or to separate dynamic and static content. This configuration is also called a reverse proxy. In certain circumstances, an @ sign within a request can cause the rewrite rules to resolve URLs incorrectly, allowing attackers to specify arbitrary hosts.

For instance, the HTTP request:

GET @InternalNotAccessibleServer/console HTTP/1.0

causes mod_rewrite to create the following URL:

http://internalserver:80@InternalNotAcc ... er/console

Because of the @ sign, the segment that contains the actual host is interpreted as an HTTP authentication segment, and the request is redirected to any server (NotAccessibleServer) that the attacker chooses on the Apache server's local network. Further examples can be found in Context's report. The only prerequisite is that the attackers must know the local host name or the local IP address of the server they intend to access; however, this information can be obtained by brute force.

Apache 1.3 and all series 2 versions up to 2.2.20 are affected. As a workaround, an extra slash can be added to the rewrite rule. The report from Context also explains how to test whether a server is vulnerable and what to change if this is the case. In addition, the Apache Foundation has already released a patch for version 2.2.21 that will fix the problem.

SOURCE:
http://www.h-online.com/open/news/item/Apache-hole-allows-attackers-to-access-internal-servers-1355890.html

Thanks for alerting everyone.



http://www.contextis.com/research/blog/ ... oxybypass/

Quote:

"If the Apache configuration file is configured like this (prior to Apache's recent update):

RewriteRule ^(.*) http://internalserver:80$1 [P]

And not like this:

RewriteRule ^(.*) http://internalserver:80/$1 [P]

Then access from the internet to any internal system that is accessible from the inside of the proxy is possible; the difference is the trailing slash after the port number."

This only effects you if you are using apache as a reverse proxy and expecting it to protect systems behind it and acting as a firewall. So if you arent doing that, dont worry about it.

OK, now personal thoughts on this class of vulnerabilities. This is IMHO an example of a vulnerability that occurs when you trust user input. I'm all for code that tries to protect you from yourself, so please don't anyone misunderstand my comments. This can only be exploited if you happen to write trusting mod_rewrite rules. In short, this isnt a vulnerability in the code, the code is doing exactly what someone configured mod_rewrite to do. Its not much of a surprise that the bad guys can put whatever they want into $1, you're reading in and trusting their input which could be anything!

So, its all well and good if mod_rewrite tries to protect you from cases were you might do this, but it can't make all input nonmalicious, so this shouldnt be treated as another example where everyone patches and just moves on. Instead, let this episode serve as an opportunity to review your mod_rewrite rules or anything else for that matter where you are trusting user input. If you find cases where you assume the user can only inject a specific input, and if they injected something malicious bad things might happen - then its time to do some fixin.

This type of vulnerability can happen with any application (thats why we have WAF rules afterall). Write whatever you are writing always with the idea in mind that someone could put anything they want into that variable or input field, including malicious input. So always make sure that user input is always treated as malicious and untrusted.

Thanks for your quick and informative reply.

A question from my side. Joomla e.g. uses rewrites in default htaccess files like:

Do I understand it correctly that I would have to put a slash like that in it:

or is this not necessary?
I personally use some rewrites like that:


Would I have to add that slash there as well?

Thanks a lot

Thanks for the questions, in your case its not necessary if you arent running a reverse proxy. Additionally, those changes will break your rules with Joomla. So dont do them.

Keep in mind that this specific bypass attack only effects people using apache as a reverse proxy, because thats all this does. It just lets people do things with the proxy module. So if you arent using it to proxy, then you dont need to worry about this issue.

With that said, its always a good idea to review your mod_rewrite rules to ensure they do what you want them to do, and nothing else if something bad could happen if your users dont do things as you expect.

Great, thank you very much for your help.