Welcome to WebmasterWorld Guest from 54.160.163.163

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Apache security flaw

Apache exposes and allows access to internal servers

     

JasonD

9:25 pm on Oct 6, 2011 (gmt 0)

10+ Year Member



Hi guys,

just a heads up that a new flaw that affects Apache, and likely other web servers, if certain reverse proxy and/or ModRewrite rules are in place allowing access to internal servers.

It's easy to fix so please take your time to look at your httpd.conf and/or .htaccess rules.

Full details at

[bit.ly...]

g1smd

9:42 pm on Oct 6, 2011 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



There's a related issue when you use mod_rewrite for normal URL rewriting, especially when you use:

RewriteRule ^(some-pattern) $1/somestuff [L]


instead of:

RewriteRule ^(some-pattern) /$1/somestuff [L]


Here, the leading slash should always be included.

JasonD

7:54 pm on Oct 7, 2011 (gmt 0)

10+ Year Member



I'm very surprised that no one, other than yourself g1smd, has dived into this thread.

The majority of web sites, and probably almost every SEO'd site out, is potentially vulnerable to have their DB server and/or every other internal resource (such as router) leaving themselves vulnerable to the worst kind of abuse.

That abuse could be a simple re routing of a site's content (via routing tables at the router level), DNS poisoning for whole companies and subnets, customer data theft and a thousand other abuses.

The shame is that it is so simple to check if you are vulnerable and so easy to fix, with a simple addition of one character - a slash !

g1smd

8:06 pm on Oct 7, 2011 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you read a good few of the mod_rewrite tutorials published on "SEO websites" you'll soon realise that 99% of the "authors" don't actually understand any of this stuff, and seemingly merely parrot the worst tutorials and the same basic errors over and over again.

Yes, it's a simple flaw and an easy fix. Shame that it will be ignored by the vast majority of sites that need to check things out.