homepage Welcome to WebmasterWorld Guest from 54.167.177.180
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Apache security flaw
Apache exposes and allows access to internal servers
JasonD

10+ Year Member



 
Msg#: 4371674 posted 9:25 pm on Oct 6, 2011 (gmt 0)

Hi guys,

just a heads up that a new flaw that affects Apache, and likely other web servers, if certain reverse proxy and/or ModRewrite rules are in place allowing access to internal servers.

It's easy to fix so please take your time to look at your httpd.conf and/or .htaccess rules.

Full details at

[bit.ly...]

 

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4371674 posted 9:42 pm on Oct 6, 2011 (gmt 0)

There's a related issue when you use mod_rewrite for normal URL rewriting, especially when you use:

RewriteRule ^(some-pattern) $1/somestuff [L]

instead of:

RewriteRule ^(some-pattern) /$1/somestuff [L]

Here, the leading slash should always be included.

JasonD

10+ Year Member



 
Msg#: 4371674 posted 7:54 pm on Oct 7, 2011 (gmt 0)

I'm very surprised that no one, other than yourself g1smd, has dived into this thread.

The majority of web sites, and probably almost every SEO'd site out, is potentially vulnerable to have their DB server and/or every other internal resource (such as router) leaving themselves vulnerable to the worst kind of abuse.

That abuse could be a simple re routing of a site's content (via routing tables at the router level), DNS poisoning for whole companies and subnets, customer data theft and a thousand other abuses.

The shame is that it is so simple to check if you are vulnerable and so easy to fix, with a simple addition of one character - a slash !

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4371674 posted 8:06 pm on Oct 7, 2011 (gmt 0)

If you read a good few of the mod_rewrite tutorials published on "SEO websites" you'll soon realise that 99% of the "authors" don't actually understand any of this stuff, and seemingly merely parrot the worst tutorials and the same basic errors over and over again.

Yes, it's a simple flaw and an easy fix. Shame that it will be ignored by the vast majority of sites that need to check things out.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved