Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Flaw Allows Internal Network Access

Posted by samzenpus on from the protect-ya-neck dept.

angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."

6 of 99 comments (clear)

  1. bug confirmed on slashdot.org server by Anonymous Coward · · Score: 5, Funny

    it allowed me to get frist post

  2. Use nginx? by mhh91 · · Score: 5, Interesting

    Why would anyone use Apache as a reverse proxy anyway?

    I mean, there's nginx, and it runs circles around Apache as far as I know.

  3. Re:Garbage in, by Eraesr · · Score: 5, Insightful

    Pretty stupid thing to say. Garbage in should never mean "protected resources out".

  4. Probably not worthy of a front page article... by Bert64 · · Score: 5, Informative

    This is a fairly minor vulnerability at best, in order for it to matter to you at all:

    1, you have to be using reverse proxy mode
    2, you have to have misconfigured your rewrite rules
    3, you have to actually have some internal resources that are private

    The webservers I run, aside from not using Apache in reverse proxy mode...

    Some of them are in isolated dmz networks, so the only data you could get at is part of the public website anyway...
    The others are standalone webservers connected direct to the internet, a reverse proxy wouldn't get you anything you couldn't get to directly.

    What percentage of apache users will actually fulfil all the criteria for this issue to even matter to them at all?

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  5. Re:Garbage in, by Anonymous Coward · · Score: 5, Interesting

    Garbage out. What else is new?

    GI/GO is bullshit, you should never output garbage no matter how fucked up the input is. If you can't process it normally, you kick out an error condition of some sort you don't just throw up your hands and say "Oh well, the user entered the wrong password so we'll just have to give him access to everything".

  6. Re:Wait a minute... by Tomato42 · · Score: 5, Interesting

    It would be like patching rm against usage of -rf. Just because you can cut your finger with a knife doesn't mean that the knife is a badly made tool, it just means you failed as a knife user.

    The Apache vulnerability isn't part of normal config, let alone the default one. Non story.