Apache hole allows attackers to access internal servers

Security experts at Context have discovered a hole in the Apache web server that allows remote attackers to access internal servers. The mod_rewrite rewrite engine ensures that requests are distributed across different servers according to definable rules, for example, in order to balance loads or to separate dynamic and static content. This configuration is also called a reverse proxy. In certain circumstances, an @ sign within a request can cause the rewrite rules to resolve URLs incorrectly, allowing attackers to specify arbitrary hosts.

For instance, the HTTP request:

GET @InternalNotAccessibleServer/console HTTP/1.0

causes mod_rewrite to create the following URL:

http://internalserver:80@InternalNotAccessibleServer/console

Because of the @ sign, the segment that contains the actual host is interpreted as an HTTP authentication segment, and the request is redirected to any server (NotAccessibleServer) that the attacker chooses on the Apache server's local network. Further examples can be found in Context's report. The only prerequisite is that the attackers must know the local host name or the local IP address of the server they intend to access; however, this information can be obtained by brute force.

Apache 1.3 and all series 2 versions up to 2.2.20 are affected. As a workaround, an extra slash can be added to the rewrite rule. The report from Context also explains how to test whether a server is vulnerable and what to change if this is the case. In addition, the Apache Foundation has already released a patch for version 2.2.21 that will fix the problem.

(ehe)