Forgot your password?
typodupeerror
Bug Networking Security Apache

Apache Flaw Allows Internal Network Access 99

Posted by samzenpus
from the protect-ya-neck dept.
angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."
This discussion has been archived. No new comments can be posted.

Apache Flaw Allows Internal Network Access

Comments Filter:
  • Yawn (Score:3, Insightful)

    by Anonymous Coward on Monday November 28, 2011 @06:19AM (#38188366)
    Improper regex usage causes intended consequences, news at 11.
  • Re:Garbage in, (Score:5, Insightful)

    by Eraesr (1629799) on Monday November 28, 2011 @06:29AM (#38188410) Homepage
    Pretty stupid thing to say. Garbage in should never mean "protected resources out".
  • Re:Use nginx? (Score:2, Insightful)

    by Anonymous Coward on Monday November 28, 2011 @06:31AM (#38188426)

    On RHEL and CentOS "yum search nginx" says "No Matches found". Do I need to say more? :)

  • by CmdrPony (2505686) on Monday November 28, 2011 @06:43AM (#38188504)
    Just because you don't run such large sites doesn't mean it's not going to be a problem for anyone. When it's about some Microsoft vulnerability, there's new stories even for some minor things. I think Apache vulnerability is a big thing.

    It's easy to misconfigure those rewrite rules, and trust me, larger companies have internal resources that really should stay private. That Apache allows access to such resources is a huge flaw.
  • Wait a minute... (Score:5, Insightful)

    by supersat (639745) on Monday November 28, 2011 @06:47AM (#38188530)

    Let me get this straight... IF you run Apache as a reverse proxy AND you misconfigure your mod_rewrite rules, then people can unintentionally access internal resources? I'm SHOCKED! SHOCKED, I tell you!

    That being said, I did RTFM and it's kind of a cute attack. It probably should be patched to protect people from shooting themselves in the foot, but I'm not sure I'd actually call it a vulnerability...

  • Re:Use nginx? (Score:3, Insightful)

    by KiloByte (825081) on Monday November 28, 2011 @07:03AM (#38188590)

    nginx requires you to proxy everything, with Apache you can serve most of the website on that server and proxy away only a small part. Damn useful if you want to run something that needs its own http server (like, python-tornado) yet you don't want to give it a separate subdomain.

  • by ledow (319597) on Monday November 28, 2011 @07:13AM (#38188626) Homepage

    If you have internal resources that need to stay private, have a large IT budget, run many Apache servers in reverse proxy modes and one of your admins is STUPID enough to not only mis-write their regular expressions like this (even if it wasn't obvious to an amateur), but they also fail to keep up on the security lists that have been discussing this for weeks, ignore all the advice given and have to find out via Slashdot that they need to do something - you are REALLY employing the wrong IT people.

    Everyone else? It doesn't actually affect them.

  • Re:Garbage in, (Score:5, Insightful)

    by Sqr(twg) (2126054) on Monday November 28, 2011 @08:39AM (#38189096)

    Pretty stupid thing to say. If the person who inputs the garbage is the admin (which is the case here, since only an admin can create rewrite rules) then it's not surprising that security might be compromised. There's no way you can make software safe from incompetent people with admin privileges.

3500 Calories = 1 Food Pound

Working...