Apache Flaw Allows Internal Network Access

← Back to Stories (view on slashdot.org)

Apache Flaw Allows Internal Network Access

Posted by samzenpus on Sunday November 27, 2011 @10:04PM from the protect-ya-neck dept.

angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."

99 comments

Min score:

Reason:

Sort:

bug confirmed on slashdot.org server by Anonymous Coward · 2011-11-27 22:12 · Score: 5, Funny

it allowed me to get frist post
1. Re:bug confirmed on slashdot.org server by Anonymous Coward · 2011-11-27 22:19 · Score: 0
  
  That's mostly because it's Apache. If it was Microsoft and IIS the page would be filled with "haha!" comments.
2. Re:bug confirmed on slashdot.org server by Anonymous Coward · 2011-11-28 02:10 · Score: 0
  
  haha!
  
  haha!
Yawn by Anonymous Coward · 2011-11-27 22:19 · Score: 3, Insightful

Improper regex usage causes intended consequences, news at 11.
1. Re:Yawn by marcosdumay · 2011-11-28 01:35 · Score: 2
  
  In this case, the consequences were unintended.
  
  --
  Rethinking email
2. Re:Yawn by trum4n · 2011-11-28 04:17 · Score: 1
  
  And, likely, will never be the same.
Use nginx? by mhh91 · 2011-11-27 22:23 · Score: 5, Interesting

Why would anyone use Apache as a reverse proxy anyway?
I mean, there's nginx, and it runs circles around Apache as far as I know.
1. Re:Use nginx? by Anonymous Coward · 2011-11-27 22:31 · Score: 2, Insightful
  
  On RHEL and CentOS "yum search nginx" says "No Matches found". Do I need to say more? :)
2. Re:Use nginx? by bogaboga · 2011-11-27 22:36 · Score: 0
  
  Why would anyone use Apache as a reverse proxy anyway?
  Because Apache zealots will tout this [flaw] as a feature and not a flaw.
  Remember what we had a few years ago with dependency hell? in rpm based distros?
  This 'hell' was fronted as a feature then. All complainants were 'put in their place' by saying they did not know what they were doing in the first place. Sad to say.
3. Re:Use nginx? by CmdrPony · 2011-11-27 22:37 · Score: 3, Informative
  
  It's on EPEL. And if you're running websites that need fast reverse proxying and caching on the web server side, you should be able to build it yourself too. nginx is specifically designed for this kind of stuff, and is much faster and more secure than Apache. It's Russian lightweight quality, while Apache is bloat as hell (for this kind of stuff).
4. Re:Use nginx? by Anonymous Coward · 2011-11-27 22:46 · Score: 0
  
  Yes, I know how to compile software myself, but wasting time to compile software is so 90's.
5. Re:Use nginx? by KiloByte · 2011-11-27 23:03 · Score: 2, Insightful
  
  nginx requires you to proxy everything, with Apache you can serve most of the website on that server and proxy away only a small part. Damn useful if you want to run something that needs its own http server (like, python-tornado) yet you don't want to give it a separate subdomain.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
6. Re:Use nginx? by Anonymous Coward · 2011-11-27 23:05 · Score: 0
  
  Why would anyone use Apache for anything?
  It's huge, it's config is insanely complex, and it's slower than just about anything else (why do you think MS use Apache when toting how fast IIS has become?)
  Secure? Any of those thousands of lines in the config file can have a mistake making it insecure.
7. Re:Use nginx? by wintermute000 · 2011-11-27 23:10 · Score: 2
  
  I thought if you need fast reverse proxying/caching you used the big name appliances (F5)
8. Re:Use nginx? by rev0lt · 2011-11-27 23:23 · Score: 2
  
  With apache, you can use mod_security to filter many types of attacks before they reach the actual webservers. But yes, for many of my applications, nginx is awesome :)
9. Re:Use nginx? by pinkeen · 2011-11-27 23:27 · Score: 2
  
  I think that's not true. You can delegate every location you want to a different server or serve it directly. You know there's this "location" directive in config. Nginx is very flexible.
10. Re:Use nginx? by Anonymous Coward · 2011-11-27 23:47 · Score: 1
  
  Yeah. Nginx is also missing some important functionality Apache has. Like digest authentication.
11. Re:Use nginx? by tero · 2011-11-27 23:50 · Score: 1
  
  A lot of third-party security related products (especially in the Authorization/Authentication/Access business) are still tied to Apache since it's been dominating the free-software space for such a long time.
12. Re:Use nginx? by KiloByte · 2011-11-28 00:00 · Score: 3, Informative
  
  If you do that, you pay full passthrough costs for every single URL -- parsing, 587598237592 (approximately) context switches, ferrying data between two userspace processes, etc. With Apache, you suffer that only for URLs you actually need to proxy.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
13. Re:Use nginx? by Tomato42 · 2011-11-28 00:02 · Score: 1
  
  But if you had a regular http server running Apache (don't tell me it's not the norm) and then a single app needed to be put on different server, like the python-tomato mentioned or .NET or JEE site. Do you reconfigure whole server or do you just add proxy to it?
  Just because using it in big deployments is stupid doesn't mean it isn't used in small systems (few dozen thousand hits a day) with room to spare.
14. Re:Use nginx? by Anonymous Coward · 2011-11-28 00:20 · Score: 1
  
  Learn to search "http://rpm.pbone.net". It's very handy for finding personally built packages that can be brought into the mainline or useful third party repositories like EPEL and RPMforge.
  And get *off* of CentOS, it's violating all the basic principles that caused people to discard WhiteBox. Closed developer group, no hint of their over tarfy release dates, and they refuse to even discuss what's holding them up, accept help, or discuss their build structure so other testers can replicate their problems. Anyone with a clue or a desire to be less than six months out of date with Red Hat is hopping over to Scientific Linux, which is more friendly and *far* more open about how they build their tools. It makes testing and debugging a lot easier.
15. Re:Use nginx? by Anonymous Coward · 2011-11-28 01:29 · Score: 0
  
  Nginx can serve local files too, not just proxy.
16. Re:Use nginx? by Anonymous Coward · 2011-11-28 01:37 · Score: 0
  
  In both nginx and apache you can select what you proxy by URL. So if that it is a problem in nginx it is a problem in apache too.
17. Re:Use nginx? by marcosdumay · 2011-11-28 01:42 · Score: 2
  
  That depends entirely on the specs of the machines you are aquiring from F5. For most of their offerings, it is worth more to buy a better switch and a server to run nginx. For most of their clients, that also applies.
  But, yes, there are some really good appliances you can buy for reverse proxy/caching. You just probably don't need them.
  
  --
  Rethinking email
18. Re:Use nginx? by Anonymous Coward · 2011-11-28 03:06 · Score: 0
  
  No one really cares about digest authentication because you should be using SSL. However there are modules available or in progress for it.
19. Re:Use nginx? by Anonymous Coward · 2011-11-28 03:29 · Score: 0
  
  1/10, try harder
20. Re:Use nginx? by Karzz1 · 2011-11-28 03:31 · Score: 1
  
  nginx does not support reverse-proxy to AJP as far as I know.
  
  --
  Beware of he who would deny you access to information, for in his heart he dreams himself your master.
21. Re:Use nginx? by Lennie · 2011-11-28 03:39 · Score: 1
  
  Even Apache has a project called http://trafficserver.apache.org/ if performance is what you need.
  
  --
  New things are always on the horizon
22. Re:Use nginx? by ArsenneLupin · 2011-11-28 03:47 · Score: 1
  
  But can it also run CGIs? Can it do php?
23. Re:Use nginx? by shish · 2011-11-28 05:27 · Score: 1
  
  On RHEL and CentOS "yum search nginx" says "No Matches found". Do I need to say more? :)
  This is exactly the example I use when suggesting Debian as a server OS. How can you live with such a shit default repository? Even the tools needed to build good software from source aren't included >:| (And last I attempted it a couple of years ago, CentOS had the nerve to tell me (after I'd formatted my drive) that I needed to go back to my previous OS and download another 3 CDs, because one CD can't contain the massive number of packages for an everything-disabled blank install...)
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
24. Re:Use nginx? by Aighearach · 2011-11-28 05:30 · Score: 1
  
  modules available or in progress
  Dude, turn your fanboi level way down, you're spewing derps.
25. Re:Use nginx? by Aighearach · 2011-11-28 05:33 · Score: 1
  
  Remember what we had a few years ago with dependency hell? in rpm based distros?
  This 'hell' was fronted as a feature then. All complainants were 'put in their place' by saying they did not know what they were doing in the first place. Sad to say.
  
  Happy to say, RPM distro users are still using rpm and there is no dependency hell at all.
  Dependency hell was a feature of most early generation package management systems. They all had it, most improve over time. deb based systems had it too.
  You might want to update your fanboi examples for the new millennium.
26. Re:Use nginx? by shish · 2011-11-28 05:40 · Score: 1
  
  But can it also run CGIs?
  Yes
  
  Can it do php?
  Also yes
  Though in both cases, reverse-proxying to a webapp or fastcgi process running with the owning user's UID is simpler (and a better idea anyway, so do that)
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
27. Re:Use nginx? by aztracker1 · 2011-11-28 05:41 · Score: 1
  
  IIRC both CGI ans FastCGI are supported, yes to PHP.
  
  --
  Michael J. Ryan - tracker1.info
28. Re:Use nginx? by garyebickford · 2011-11-28 06:01 · Score: 1
  
  SSL does not automatically solve the authentication problem. It's best to have some type of login form submission sequence, but digest authentication at least provides an authentication process that is encrypted end-to-end, and it happens before any web page is made visible. Digest plus SSL is a reasonable _minimum_ level of security for data that you want to keep private but aren't the crown jewels (IMHO).
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
29. Re:Use nginx? by mcavic · 2011-11-28 07:10 · Score: 1
  
  wasting time to compile software is so 90's
  Agreed. Life is so much easier with RPM.
30. Re:Use nginx? by Just+Some+Guy · 2011-11-28 08:37 · Score: 1
  
  Because we've been using it in that role for most of a decade, it's never caused a single problem, and its performance has been completely satisfactory. nginx might be better in every other way but I've not had any reasons to replace a working, time-tested Apache installation with something new.
  
  --
  Dewey, what part of this looks like authorities should be involved?
31. Re:Use nginx? by Anonymous Coward · 2011-11-28 09:44 · Score: 0
  
  What the heck are you talking about, and why the heck was it modded insightful? I run a couple dozen web servers with nginx. Several of them serve sites directly (no proxying involved). Others serve as front end caching proxies for much slower servers (frequently Apache) that sit behind them. Several host sites that run via PHP/FastCGI or Perl/FastCGI. For dynamic sites, I've got countless test results that clearly demonstrate nginx with PHP/FastCGI absolutely blowing the doors off of Apache/mod_php for directly served sites.
  Please spend some quality time with nginx and its documentation before posting anything else on the topic.
32. Re:Use nginx? by Anonymous Coward · 2011-11-28 09:54 · Score: 0
  
  This is more BS. Please go set up an actual production environment with nginx. Heck, go set up the environment with a single server that (1) serves sites directly via nginx, (2) proxies some requests back to other servers on your network, (3) does caching of static assets via nginx, (4) does PHP/FastCGI (there are similar setups for Perl, Python, etc). Then go run some actual performance tests.
  Basically, you have zero knowledge of nginx, and you're trying to prop up a failed position with senseless babbling. Please stop.
33. Re:Use nginx? by fenix849 · 2011-11-28 10:10 · Score: 1
  
  You miss spelt .DEB :)
34. Re:Use nginx? by mcavic · 2011-11-28 12:41 · Score: 1
  
  I'll correct myself: "Life is so much easier with a package manager".
  
  But I do prefer the word "yum" over "apt-get". Especially since "apt-get install" seems like a redundant statement. :)
35. Re:Use nginx? by micheas · 2011-11-28 16:47 · Score: 1
  
  In my experience, the difference between apache and nginx is pretty small if you make an apples to apples comparison.
  Apache can run as either a threaded or non-threaded server. IF you are running apache as a reverse proxy, and have everything else stripped out and are running the Event Multi-Processing Module, the difference between apache and nginx tends to be reasonably small, in my experience.
  I use NGINX, and like it, but the awsome performance improvement is something that seems to apply to people that don't know how to tune apache. To say that you are using NGINX, just because you don't want deal with configuring apache from scratch, and you don't have a 99% of the way there config file is reasonable.
  I will say that what I have found is that ssl traffic is where NGINX shines. In my experience NGINX is not much faster, but it can handle a lot more simultaneous ssl connections than lighttpd or apache, which makes it perfect for sites that require user logins.
  
  --
  Work bio at MMWD
36. Re:Use nginx? by DavidTC · 2011-11-28 17:29 · Score: 1
  
  Yes, but if you do that, you can't use PHP compiled in. You have to do fastcgi, just like nginx.
  More specifically, if you're planning on tearing down the entire apache config and rebuilding it, and stripping out all the features that apache has, I'm a bit unsure why you'd use apache anyway.
  Use apache if you need something that nginx can't do well, like webdav. Otherwise, don't spend the time trying to make it work like nginx, just use nginx.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
37. Re:Use nginx? by micheas · 2011-11-28 17:53 · Score: 1
  
  Sometimes you have the choice of:
  a) run NGINX as a reverse proxy and rewrite all your rewrite rules
  or
  b) run apache as a reverse proxy and configure it so it runs quickly and keep your rewrite rules.
  The size and complexity of the existing rewrite rules generally makes one of them the obvious choice.
  
  --
  Work bio at MMWD
38. Re:Use nginx? by DavidTC · 2011-11-29 07:52 · Score: 1
  
  I've found that having massively complicated rewrites is just an exercise in annoyance. Especially when you have rules working at both server and directory level.
  About the only rewrite rules that makes sense in 99% of the circumstances are things like 'Alias an entire directory into the site so there's a webmail dir or whatever' and 'Send all not-found requests to this specific script'. (And strictly speaking, you can do the first with a symlink, although sometimes that's not workable.)
  Yes, I'm sure there are circumstances where more rules are needed. Sometimes there's really weird stuff, and if you're doing a reverse proxy, you quite possibly are faced with such a situation.
  And, of course, if you're running a server and letting end users set up such a system, they might insist on the ability to add rules, which requires apache, as nginx doesn't screw around with .htaccess files. (OTOH, you can just ask them what they are running, and if it's any sort of dynamic site, just send all 404s to index.php, and, tada, magically it all works.)
  So I suspect, statistically, that something like nine out of ten rewrite rules really aren't needed. In fact, joomla comes with like 12 lines of apache rewrite rules (The actual rules, not the comments, and not counting other stuff in the file)...and really only needs three.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
39. Re:Use nginx? by fenix849 · 2011-11-30 14:04 · Score: 1
  
  Do you make all choices based on which option has more grammatical faux pas, or is this a special case? :P
40. Re:Use nginx? by mcavic · 2011-11-30 16:00 · Score: 1
  
  It's not unprecedented. Kodak used to sell a very pretty gold-colored AA battery. I haven't seen any in years, but they used to be my favorite. Now I use Energizer, because gold > silver > copper. :)
Garbage in, by garry_g · 2011-11-27 22:25 · Score: 0

Garbage out. What else is new?
1. Re:Garbage in, by Anonymous Coward · 2011-11-27 22:26 · Score: 1, Funny
  
  Apache is garbage! Upgrade to IIS!
2. Re:Garbage in, by Eraesr · 2011-11-27 22:29 · Score: 5, Insightful
  
  Pretty stupid thing to say. Garbage in should never mean "protected resources out".
3. Re:Garbage in, by Anonymous Coward · 2011-11-27 23:05 · Score: 5, Interesting
  
  Garbage out. What else is new?
  GI/GO is bullshit, you should never output garbage no matter how fucked up the input is. If you can't process it normally, you kick out an error condition of some sort you don't just throw up your hands and say "Oh well, the user entered the wrong password so we'll just have to give him access to everything".
4. Re:Garbage in, by garry_g · 2011-11-27 23:23 · Score: 2
  
  How can an automated system recognize whether an input is "not what the user meant to type"? As long as an input is syntactically correct, it's not up to the system ... granted, the double colon might not fall under the "syntactically correct" inputs, though it would have to be checked whether it may indeed be allowed or not ...
5. Re:Garbage in, by Sqr(twg) · 2011-11-28 00:39 · Score: 4, Insightful
  
  Pretty stupid thing to say. If the person who inputs the garbage is the admin (which is the case here, since only an admin can create rewrite rules) then it's not surprising that security might be compromised. There's no way you can make software safe from incompetent people with admin privileges.
6. Re:Garbage in, by Anonymous Coward · 2011-11-28 01:20 · Score: 0
  
  It's more about:
  Garbage in: You misconfigure stuff
  Garbage out: so don't expect the software to work correctly.
  Even in the summary it says: "if some rewrite rules are not defined properly [...]"
7. Re:Garbage in, by Eraesr · 2011-11-28 01:44 · Score: 2
  
  I do not agree.
  Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
8. Re:Garbage in, by Pieroxy · 2011-11-28 03:57 · Score: 1
  
  I do not agree.
  Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
  Beware, you're one step away from advocating iOS here. At least on iOS, it's harder for users to break things by typing nonsense in the configuration section.
  
  --
  Write boring code, not shiny code!
9. Re:Garbage in, by Aighearach · 2011-11-28 05:39 · Score: 1
  
  GI/GO is bullshit, you should never output garbage no matter how fucked up the input is
  *whoooosh*
  No, the computer has no way of reading your mind to know that the garbage isn't the perfectly processed output expected from the given input. The computer doesn't understand intent or context, and thankfully it just does what it's told instead of deciding to give you some stupid error, "The output wouldn't have looked pretty to computers. Error."
  Before tossing out grampa's words of wisdom, at least try to understand them. And if you can't, the get off my lawn!!!
10. Re:Garbage in, by Shatrat · 2011-11-28 06:10 · Score: 1
  
  What if the admin wants to do this intentionally to make internal resources available? Do you propose to limit the abilities of the regex in question to only make certain things possible? That doesn't seem like an improvement.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
11. Re:Garbage in, by korgitser · 2011-11-28 08:19 · Score: 1
  
  Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.
  Thin ice here... The unix world seems to think, and usually it is the case, that by preventing the user from doing stupid things, you also prevent him from doing clever things. Yes there are exceptions, but it is important on which side you default.
  
  --
  FCKGW 09F9 42
12. Re:Garbage in, by Eraesr · 2011-11-28 21:29 · Score: 1
  
  Like korgitser mentions in this comment, exceptions can be made, but by default it shouldn't be possible. I'm not saying it should be absolutely impossible to do this, but add another layer of protection which prevents admins from accidentally doing something like this. If an admin intentionally wants to do this and sets a specific configuration flag which allows him to do so, then that's a different story.
Linux security flaw discovered by xyph0r · 2011-11-27 22:31 · Score: 4, Funny

If you set the root password to 'password' and allow root login via ssh, attackers could compromise your system.

--
SQL programmer goes to a bar. Walks up to two tables and says 'Excuse me, may I join you?'.
1. Re:Linux security flaw discovered by Anonymous Coward · 2011-11-27 22:36 · Score: 4, Funny
  
  If you set the root password to 'password' and allow root login via ssh, attackers could compromise your system.
  Wooot? Thank God I used 'root' as my root password then ;)
2. Re:Linux security flaw discovered by marcosdumay · 2011-11-28 01:44 · Score: 1
  
  I'm holding to the long tradition of using '123456' for all users, on all systems.
  
  --
  Rethinking email
3. Re:Linux security flaw discovered by Fujisawa+Sensei · 2011-11-28 03:44 · Score: 0
  
  Wow, that's the same combination that's on my luggage!
  Better go change that.
  
  --
  If someone is passing you on the right, you are an asshole for driving in the wrong lane.
4. Re:Linux security flaw discovered by Pieroxy · 2011-11-28 04:01 · Score: 1
  
  Wow, that's the same combination that's on my luggage!
  You have SIX digits on your luggage lock! Wow!!! Which brand is that ?
  
  --
  Write boring code, not shiny code!
Probably not worthy of a front page article... by Bert64 · 2011-11-27 22:32 · Score: 5, Informative

This is a fairly minor vulnerability at best, in order for it to matter to you at all:
1, you have to be using reverse proxy mode
2, you have to have misconfigured your rewrite rules
3, you have to actually have some internal resources that are private
The webservers I run, aside from not using Apache in reverse proxy mode...
Some of them are in isolated dmz networks, so the only data you could get at is part of the public website anyway...
The others are standalone webservers connected direct to the internet, a reverse proxy wouldn't get you anything you couldn't get to directly.
What percentage of apache users will actually fulfil all the criteria for this issue to even matter to them at all?

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
1. Re:Probably not worthy of a front page article... by CmdrPony · 2011-11-27 22:43 · Score: 3, Insightful
  
  Just because you don't run such large sites doesn't mean it's not going to be a problem for anyone. When it's about some Microsoft vulnerability, there's new stories even for some minor things. I think Apache vulnerability is a big thing.
  
  It's easy to misconfigure those rewrite rules, and trust me, larger companies have internal resources that really should stay private. That Apache allows access to such resources is a huge flaw.
2. Re:Probably not worthy of a front page article... by FBeans · 2011-11-27 22:43 · Score: 3
  4. You have to be attacked by somebody, who knows how to access these private resources.
  5. They have to do some thing with those resources (perhaps just read)
  6. You have to actually care that all of this just happened.
  I think it's good these security risks are highlighted, It can only bring about a faster fix. Of course in reality their are more problems with Apache, with IIS, with "ngix"(meh!) and all software. We don't know about these and they won't cause to much fuss.
  Bad Joke of the day: What do you do if your http server is broken? Just apply A-patch-e!!! (sorry)
3. Re:Probably not worthy of a front page article... by ledow · 2011-11-27 23:13 · Score: 4, Insightful
  
  If you have internal resources that need to stay private, have a large IT budget, run many Apache servers in reverse proxy modes and one of your admins is STUPID enough to not only mis-write their regular expressions like this (even if it wasn't obvious to an amateur), but they also fail to keep up on the security lists that have been discussing this for weeks, ignore all the advice given and have to find out via Slashdot that they need to do something - you are REALLY employing the wrong IT people.
  Everyone else? It doesn't actually affect them.
4. Re:Probably not worthy of a front page article... by knuthin · 2011-11-27 23:39 · Score: 1
  
  Bad Joke of the day: What do you do if your http server is broken? Just apply A-patch-e!!! (sorry)
  Thanks for cracking that hilariously funny joke in the end (for the millionth time)
  
  http://wiki.apache.org/httpd/FAQ#Why_the_name_.22Apache.22.3F
  https://en.wikipedia.org/wiki/Apache_HTTP_Server
  
  --
  Some apps are WYSIWYG. Some others are WYSIWTF.
5. Re:Probably not worthy of a front page article... by cr_nucleus · 2011-11-27 23:40 · Score: 1
  
  What percentage of apache users will actually fulfil all the criteria for this issue to even matter to them at all?
  Considering the ubiquity of apache webserver i'd say even a very low percentage of installs would still be a lot.
  Also it's always good to know about existing vulnerabilities if only to update documentation.
6. Re:Probably not worthy of a front page article... by FBeans · 2011-11-27 23:46 · Score: 1
  
  No problem. Any other light-hearted, non-important things I can say that clearly piss you off? Just let me know.
7. Re:Probably not worthy of a front page article... by skovnymfe · 2011-11-28 00:14 · Score: 1
  
  If a large company has resources that need to stay private, they don't mix private resources with public services. Why is an Apache server even allowed to look at private resources in the first place?
8. Re:Probably not worthy of a front page article... by JasterBobaMereel · 2011-11-28 00:40 · Score: 1
  
  IIS has a URL Rewrite module that does the same as this with Reverse Proxy ..... does this suffer from the same issues?
  
  --
  Puteulanus fenestra mortis
9. Re:Probably not worthy of a front page article... by omnichad · 2011-11-28 07:41 · Score: 1
  
  For that matter, Apache has mod_proxy_http which does the same thing without rewrite rules. I have one external IP addresses and several subdomains running on my personal server that point to other hosts via mod_proxy_http. Works fairly well for me. Why would you use mod_rewrite for this unless you're only doing a subfolder?
10. Re:Probably not worthy of a front page article... by houghi · 2011-11-28 07:54 · Score: 1
  
  Just apply A-patch-e!!! (sorry)
  http://www.apache.org/foundation/faq.html#name
  They use it themselves.
  Although on other sources the 'a patchy' server was the origin and when it was pointed out that it sounded like 'Apache' they used that and Apache now denies that to be true.
  
  --
  Don't fight for your country, if your country does not fight for you.
11. Re:Probably not worthy of a front page article... by Anonymous Coward · 2011-11-28 10:30 · Score: 0
  
  This is a fairly minor vulnerability at best, in order for it to matter to you at all:
  1, you have to be using reverse proxy mode
  2, you have to have misconfigured your rewrite rules
  3, you have to actually have some internal resources that are private
  This is probably a very large percentage of Apache installations.. are you being sarcastic?
OLD NEWS by Anonymous Coward · 2011-11-27 22:39 · Score: 4, Informative

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
Wait a minute... by supersat · 2011-11-27 22:47 · Score: 4, Insightful

Let me get this straight... IF you run Apache as a reverse proxy AND you misconfigure your mod_rewrite rules, then people can unintentionally access internal resources? I'm SHOCKED! SHOCKED, I tell you!
That being said, I did RTFM and it's kind of a cute attack. It probably should be patched to protect people from shooting themselves in the foot, but I'm not sure I'd actually call it a vulnerability...
1. Re:Wait a minute... by upuv · 2011-11-27 23:59 · Score: 2
  
  I'm stunned this made the front page. This has been known for a long time actually. I had my CIO ring me up on this. He was freaking. He's seriously pissed at me for not fixing something we don't have a vulnerability too. "We use apache so why are you not fixing this!!!!!!!!"
  I actually have a meeting with him and the security team on this, this week. I'm going to walk through the defect and walk through our config. I'm still going to be ordered to get my people to patch this. Even though the patch doesn't exist.
  Don't even respond with NGINX been trying to win that for awhile now.
2. Re:Wait a minute... by Tomato42 · 2011-11-28 00:08 · Score: 5, Interesting
  
  It would be like patching rm against usage of -rf. Just because you can cut your finger with a knife doesn't mean that the knife is a badly made tool, it just means you failed as a knife user.
  
  The Apache vulnerability isn't part of normal config, let alone the default one. Non story.
3. Re:Wait a minute... by geminidomino · 2011-11-28 01:41 · Score: 1
  
  That's what I was thinking... if this is a vulnerability, what would be the expected behavior instead? "I'm sorry, Dave, but I can't let you do that?" hard-coded restrictions that will have to be worked around whenever they get in the way?
  No thanks. If I wanted to deal with software that insists it's smarter than I am, I'd be on Windows, OS X, or fighting with the new GNOME. I have a better idea: give me the gun and the sandals, and I'll be okay.
  Anyone who isn't might want to see if they can get back their old job at GeekSquad/Genius Bar, and stop fucking around with dark arts that they don't understand.
4. Re:Wait a minute... by archen · 2011-11-28 02:00 · Score: 1
  
  If this is so common that it happens a lot and there is no reason people would write rules this way, then I'm not sure why you wouldn't patch it. Protecting the user base from pitfalls should be a goal of software. But yeah, non story.
  most implementations of rm now refuse to remove / (root directory), so yes even rm has been patched for safety at some point.
5. Re:Wait a minute... by Todd+Knarr · 2011-11-28 04:24 · Score: 1
  
  Pretty much, yeah. The first thing I thought when I saw the rewrite rule you need to have to allow the vulnerability is "Hey, that's not right! There ought to be a slash before the $1 there, if you don't want unexpected weirdness in the incoming URL to mess things up.". I can see why a naive admin might want to do that, but it's dangerous and to be avoided because it's making a lot of assumptions about people playing by the rules that you just can't make (at least not on a publicly-accessible server, and you shouldn't be making them even on an internal server).
  This ought to be patched just to be safe, but if you're vulnerable to it you've got bigger potential problems with your configuration.
6. Re:Wait a minute... by aztracker1 · 2011-11-28 05:47 · Score: 1
  
  Don't even respond with NGINX been trying to win that for awhile now.
  This could be a good time to push for it...
  
  --
  Michael J. Ryan - tracker1.info
7. Re:Wait a minute... by Anonymous Coward · 2011-11-28 13:27 · Score: 0
  
  Just because you can cut your finger with a knife doesn't mean that the knife is a badly made tool, it just means you failed as a knife user.
  
  Sure, that's fair. But the folks designing the straight edge shouldn't be surprised when they lose a ton of business to a better-designed safety razor.
8. Re:Wait a minute... by CmdrPony · 2011-11-28 17:05 · Score: 1
  
  Why would it need to be hard-coded, no way to turn off restriction? Just show a warning and ask if the user really wants to do that.
OWASP number 6 by Anonymous Coward · 2011-11-27 23:18 · Score: 0

Security Misconfiguration
Immature code by Anonymous Coward · 2011-11-27 23:52 · Score: 0

r->assbackwards = 0;
hah hah...
uh huh huh by sgt+scrub · 2011-11-28 01:49 · Score: 1

assbackwards is a variable.

--
Having to work for a living is the root of all evil.
Misread Headline by q-the-impaler · 2011-11-28 01:55 · Score: 1

Did Apache Flaw finally get promoted out of incubation?

--
Sierra Tango Foxtrot Uniform
READ TFA by Anonymous Coward · 2011-11-28 02:31 · Score: 0

If you actually read the damn thing rather than reacting without first checking, you'd see that this is a separate (but very closely related) issue. The article specifically explains this:

While reviewing the patch for the older issue CVE-2011-3368, it appeared that it was still possible to make use of a crafted request that could exploit a fully patched Apache Web Server (Apache 2.2.21 with CVE-2011-3368 patch applied)
Good job, Sherlock!
AH-64 by Anonymous Coward · 2011-11-28 12:47 · Score: 0

What does this have anything to do with rotary aviation?
LAMP by sentimental.bryan · 2011-11-29 00:17 · Score: 1

Linux - Good Apache HTTP - Not so good MySQL - Currently doing no evil PHP - For the love of god, why?