Reverse proxy bypass

Description

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

A configuration like one of the following examples:

RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2

could result in an exposure of internal servers. A request of the form:

GET @other.example.com/something.png HTTP/1.1

would get translated to a target of:

http://images.example.com@other.example.com/something.png

This will cause the proxy to connect to the hostname "other.example.com", as the "images.example.com@" segment would be treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those expected, which could be a security exposure in some circumstances.

Remediation

Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. Affected users can update their configuration, or apply the patch.

For example, the above RewriteRule could be changed to:

RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]

to ensure the pattern only matches against paths with a leading "/".

References
Severity
Classification
Tags
  • XFS