Apache Flaw Allows Internal Network Access 99
angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."
Probably not worthy of a front page article... (Score:5, Informative)
This is a fairly minor vulnerability at best, in order for it to matter to you at all:
1, you have to be using reverse proxy mode
2, you have to have misconfigured your rewrite rules
3, you have to actually have some internal resources that are private
The webservers I run, aside from not using Apache in reverse proxy mode...
Some of them are in isolated dmz networks, so the only data you could get at is part of the public website anyway...
The others are standalone webservers connected direct to the internet, a reverse proxy wouldn't get you anything you couldn't get to directly.
What percentage of apache users will actually fulfil all the criteria for this issue to even matter to them at all?
Re:Use nginx? (Score:4, Informative)
OLD NEWS (Score:4, Informative)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368 [mitre.org]
Re:Use nginx? (Score:4, Informative)
If you do that, you pay full passthrough costs for every single URL -- parsing, 587598237592 (approximately) context switches, ferrying data between two userspace processes, etc. With Apache, you suffer that only for URLs you actually need to proxy.