Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Bug Networking Security Apache

Apache Flaw Allows Internal Network Access 99

Posted by samzenpus
from the protect-ya-neck dept.
angry tapir writes "A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on the internal network if some rewrite rules are not defined properly. The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers."
This discussion has been archived. No new comments can be posted.

Apache Flaw Allows Internal Network Access

Comments Filter:
  • Use nginx? (Score:5, Interesting)

    by mhh91 (1784516) on Monday November 28, 2011 @06:23AM (#38188388)

    Why would anyone use Apache as a reverse proxy anyway?

    I mean, there's nginx, and it runs circles around Apache as far as I know.

  • Re:Garbage in, (Score:5, Interesting)

    by Anonymous Coward on Monday November 28, 2011 @07:05AM (#38188600)

    Garbage out. What else is new?

    GI/GO is bullshit, you should never output garbage no matter how fucked up the input is. If you can't process it normally, you kick out an error condition of some sort you don't just throw up your hands and say "Oh well, the user entered the wrong password so we'll just have to give him access to everything".

  • Re:Wait a minute... (Score:5, Interesting)

    by Tomato42 (2416694) on Monday November 28, 2011 @08:08AM (#38188944)
    It would be like patching rm against usage of -rf. Just because you can cut your finger with a knife doesn't mean that the knife is a badly made tool, it just means you failed as a knife user.

    The Apache vulnerability isn't part of normal config, let alone the default one. Non story.

"We don't care. We don't have to. We're the Phone Company."