The Apache Software Foundation has squashed a reverse proxy flaw affecting its servers in which little more than a missing forward slash had exposed untold numbers of network devices and information to hackers.
Reverse proxies route external HTTP and HTTPS web requests to an internal web server. It is used in load balancing and to make multiple web servers at different paths appear as a single web interface.
Buggy Apache HTTP Servers in reverse proxy mode that omitted the forward slash could allow attackers to change HTTP requests. From there they could access sensitive resources including administration access for routers, web servers, firewalls and databases.
The Apache Software Foundation has patched the flaw, which was discovered last month by UK-based Context Information Security during a penetration test.
But Context Information Security research and development manager Michael Jordon said the flaw could affect other web servers.
“This latest vulnerability present is a potential back door to sensitive internal or DMZ systems but is totally avoidable if the reverse proxies are properly configured," he said. “[We have] not investigated other web servers and proxies but it is reasonable to assume that the problem is more widespread.”
Credit: Context Information Security
"When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests,” Apache's Joe Orton said. “The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL.”
The fix forced Apache software to validate the request URL.
Context Information Security said the vulnerability could be mitigated by changing reverse proxy configurations to ensure that rewrite rules cannot be abused. It released a vulnerability tool to identify the bug.
Adding the forward slash ensures Apache does not interpret the domain and port parts of the request as a username and password, Jordan said.