Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Flaw Allows Internal Network Access

Posted by samzenpus on from the protect-ya-neck dept.

angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."

27 of 99 comments (clear)

  1. bug confirmed on slashdot.org server by Anonymous Coward · · Score: 5, Funny

    it allowed me to get frist post

  2. Yawn by Anonymous Coward · · Score: 3, Insightful

    Improper regex usage causes intended consequences, news at 11.

    1. Re:Yawn by marcosdumay · · Score: 2

      In this case, the consequences were unintended.

      --
      Rethinking email
  3. Use nginx? by mhh91 · · Score: 5, Interesting

    Why would anyone use Apache as a reverse proxy anyway?

    I mean, there's nginx, and it runs circles around Apache as far as I know.

    1. Re:Use nginx? by Anonymous Coward · · Score: 2, Insightful

      On RHEL and CentOS "yum search nginx" says "No Matches found". Do I need to say more? :)

    2. Re:Use nginx? by CmdrPony · · Score: 3, Informative

      It's on EPEL. And if you're running websites that need fast reverse proxying and caching on the web server side, you should be able to build it yourself too. nginx is specifically designed for this kind of stuff, and is much faster and more secure than Apache. It's Russian lightweight quality, while Apache is bloat as hell (for this kind of stuff).

    3. Re:Use nginx? by KiloByte · · Score: 2, Insightful

      nginx requires you to proxy everything, with Apache you can serve most of the website on that server and proxy away only a small part. Damn useful if you want to run something that needs its own http server (like, python-tornado) yet you don't want to give it a separate subdomain.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    4. Re:Use nginx? by wintermute000 · · Score: 2

      I thought if you need fast reverse proxying/caching you used the big name appliances (F5)

    5. Re:Use nginx? by rev0lt · · Score: 2

      With apache, you can use mod_security to filter many types of attacks before they reach the actual webservers. But yes, for many of my applications, nginx is awesome :)

    6. Re:Use nginx? by pinkeen · · Score: 2

      I think that's not true. You can delegate every location you want to a different server or serve it directly. You know there's this "location" directive in config. Nginx is very flexible.

    7. Re:Use nginx? by KiloByte · · Score: 3, Informative

      If you do that, you pay full passthrough costs for every single URL -- parsing, 587598237592 (approximately) context switches, ferrying data between two userspace processes, etc. With Apache, you suffer that only for URLs you actually need to proxy.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    8. Re:Use nginx? by marcosdumay · · Score: 2

      That depends entirely on the specs of the machines you are aquiring from F5. For most of their offerings, it is worth more to buy a better switch and a server to run nginx. For most of their clients, that also applies.

      But, yes, there are some really good appliances you can buy for reverse proxy/caching. You just probably don't need them.

      --
      Rethinking email
  4. Re:Garbage in, by Eraesr · · Score: 5, Insightful

    Pretty stupid thing to say. Garbage in should never mean "protected resources out".

  5. Linux security flaw discovered by xyph0r · · Score: 4, Funny

    If you set the root password to 'password' and allow root login via ssh, attackers could compromise your system.

    --
    SQL programmer goes to a bar. Walks up to two tables and says 'Excuse me, may I join you?'.
    1. Re:Linux security flaw discovered by Anonymous Coward · · Score: 4, Funny

      If you set the root password to 'password' and allow root login via ssh, attackers could compromise your system.

      Wooot? Thank God I used 'root' as my root password then ;)

  6. Probably not worthy of a front page article... by Bert64 · · Score: 5, Informative

    This is a fairly minor vulnerability at best, in order for it to matter to you at all:

    1, you have to be using reverse proxy mode
    2, you have to have misconfigured your rewrite rules
    3, you have to actually have some internal resources that are private

    The webservers I run, aside from not using Apache in reverse proxy mode...

    Some of them are in isolated dmz networks, so the only data you could get at is part of the public website anyway...
    The others are standalone webservers connected direct to the internet, a reverse proxy wouldn't get you anything you couldn't get to directly.

    What percentage of apache users will actually fulfil all the criteria for this issue to even matter to them at all?

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Probably not worthy of a front page article... by CmdrPony · · Score: 3, Insightful

      Just because you don't run such large sites doesn't mean it's not going to be a problem for anyone. When it's about some Microsoft vulnerability, there's new stories even for some minor things. I think Apache vulnerability is a big thing.

      It's easy to misconfigure those rewrite rules, and trust me, larger companies have internal resources that really should stay private. That Apache allows access to such resources is a huge flaw.

    2. Re:Probably not worthy of a front page article... by FBeans · · Score: 3
      • 4. You have to be attacked by somebody, who knows how to access these private resources.
      • 5. They have to do some thing with those resources (perhaps just read)
      • 6. You have to actually care that all of this just happened.

      I think it's good these security risks are highlighted, It can only bring about a faster fix. Of course in reality their are more problems with Apache, with IIS, with "ngix"(meh!) and all software. We don't know about these and they won't cause to much fuss.

      Bad Joke of the day: What do you do if your http server is broken? Just apply A-patch-e!!! (sorry)

    3. Re:Probably not worthy of a front page article... by ledow · · Score: 4, Insightful

      If you have internal resources that need to stay private, have a large IT budget, run many Apache servers in reverse proxy modes and one of your admins is STUPID enough to not only mis-write their regular expressions like this (even if it wasn't obvious to an amateur), but they also fail to keep up on the security lists that have been discussing this for weeks, ignore all the advice given and have to find out via Slashdot that they need to do something - you are REALLY employing the wrong IT people.

      Everyone else? It doesn't actually affect them.

  7. OLD NEWS by Anonymous Coward · · Score: 4, Informative

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368

  8. Wait a minute... by supersat · · Score: 4, Insightful

    Let me get this straight... IF you run Apache as a reverse proxy AND you misconfigure your mod_rewrite rules, then people can unintentionally access internal resources? I'm SHOCKED! SHOCKED, I tell you!

    That being said, I did RTFM and it's kind of a cute attack. It probably should be patched to protect people from shooting themselves in the foot, but I'm not sure I'd actually call it a vulnerability...

    1. Re:Wait a minute... by upuv · · Score: 2

      I'm stunned this made the front page. This has been known for a long time actually. I had my CIO ring me up on this. He was freaking. He's seriously pissed at me for not fixing something we don't have a vulnerability too. "We use apache so why are you not fixing this!!!!!!!!"

      I actually have a meeting with him and the security team on this, this week. I'm going to walk through the defect and walk through our config. I'm still going to be ordered to get my people to patch this. Even though the patch doesn't exist.

      Don't even respond with NGINX been trying to win that for awhile now.

    2. Re:Wait a minute... by Tomato42 · · Score: 5, Interesting

      It would be like patching rm against usage of -rf. Just because you can cut your finger with a knife doesn't mean that the knife is a badly made tool, it just means you failed as a knife user.

      The Apache vulnerability isn't part of normal config, let alone the default one. Non story.

  9. Re:Garbage in, by Anonymous Coward · · Score: 5, Interesting

    Garbage out. What else is new?

    GI/GO is bullshit, you should never output garbage no matter how fucked up the input is. If you can't process it normally, you kick out an error condition of some sort you don't just throw up your hands and say "Oh well, the user entered the wrong password so we'll just have to give him access to everything".

  10. Re:Garbage in, by garry_g · · Score: 2

    How can an automated system recognize whether an input is "not what the user meant to type"? As long as an input is syntactically correct, it's not up to the system ... granted, the double colon might not fall under the "syntactically correct" inputs, though it would have to be checked whether it may indeed be allowed or not ...

  11. Re:Garbage in, by Sqr(twg) · · Score: 4, Insightful

    Pretty stupid thing to say. If the person who inputs the garbage is the admin (which is the case here, since only an admin can create rewrite rules) then it's not surprising that security might be compromised. There's no way you can make software safe from incompetent people with admin privileges.

  12. Re:Garbage in, by Eraesr · · Score: 2

    I do not agree.
    Software should prevent people, including even the most experienced admins, from making such mistakes. The fact that it's possible to make such a mistake is a flaw in the software.