You are here

U-005: Apache mod_proxy Pattern Matching Bug Lets Remote Users Access Internal Servers

October 6, 2011 - 9:30am

Addthis

PROBLEM:

Apache mod_proxy Pattern Matching Bug Lets Remote Users Access Internal Servers.

PLATFORM:

Apache HTTP Server 1.3.x, 2.2.21 and prior versions

ABSTRACT:

A remote user can access internal servers.

reference LINKS:

The Apache HTTP Server Project
SecurityTracker Alert ID: 1026144
CVE-2011-3368

 

IMPACT ASSESSMENT:

High

Discussion:

A vulnerability was reported in Apache mod_proxy. A remote user can access internal servers. When this system is configured in reverse proxy mode and uses the RewriteRule or ProxyPassMatch directives with a pattern match, a remote user can send a specially crafted request to access internal servers.

Impact:

A remote user can access internal servers.

Solution:

The vendor has issued a patch for version 2.2.21
Apache 2.2.21 (released 2011-09-13)

 

Addthis