Apache Flaw Allows Internal Network Access 99
angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."
Yawn (Score:3, Insightful)
Re:Garbage in, (Score:5, Insightful)
Re:Use nginx? (Score:2, Insightful)
On RHEL and CentOS "yum search nginx" says "No Matches found". Do I need to say more? :)
Re:Probably not worthy of a front page article... (Score:4, Insightful)
It's easy to misconfigure those rewrite rules, and trust me, larger companies have internal resources that really should stay private. That Apache allows access to such resources is a huge flaw.
Wait a minute... (Score:5, Insightful)
Let me get this straight... IF you run Apache as a reverse proxy AND you misconfigure your mod_rewrite rules, then people can unintentionally access internal resources? I'm SHOCKED! SHOCKED, I tell you!
That being said, I did RTFM and it's kind of a cute attack. It probably should be patched to protect people from shooting themselves in the foot, but I'm not sure I'd actually call it a vulnerability...
Re:Use nginx? (Score:3, Insightful)
nginx requires you to proxy everything, with Apache you can serve most of the website on that server and proxy away only a small part. Damn useful if you want to run something that needs its own http server (like, python-tornado) yet you don't want to give it a separate subdomain.
Re:Probably not worthy of a front page article... (Score:5, Insightful)
If you have internal resources that need to stay private, have a large IT budget, run many Apache servers in reverse proxy modes and one of your admins is STUPID enough to not only mis-write their regular expressions like this (even if it wasn't obvious to an amateur), but they also fail to keep up on the security lists that have been discussing this for weeks, ignore all the advice given and have to find out via Slashdot that they need to do something - you are REALLY employing the wrong IT people.
Everyone else? It doesn't actually affect them.
Re:Garbage in, (Score:5, Insightful)
Pretty stupid thing to say. If the person who inputs the garbage is the admin (which is the case here, since only an admin can create rewrite rules) then it's not surprising that security might be compromised. There's no way you can make software safe from incompetent people with admin privileges.