Bugzilla – Bug 722545
VUL-1: CVE-2011-3368: apache2: mod_proxy reverse proxy exposure
Last modified: 2015-09-25 13:18:31 UTC
Apache HTTP Server Security Advisory ==================================== Title: mod_proxy reverse proxy exposure CVE: CVE-2011-3368 Date: 20111005 Product: Apache HTTP Server Versions: httpd 1.3 all versions, httpd 2.x all versions Description: ============ An exposure was reported affecting the use of Apache HTTP Server in reverse proxy mode. We would like to thank Context Information Security Ltd for reporting this issue to us. When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests. The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL. For future releases of the Apache HTTP Server, the software will validate the request URI, correcting this specific vulnerability. The documentation has been updated to reflect the more general risks with pattern matching in a reverse proxy configuration. Details: ======== A configuration like one of the following examples: RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2 could result in an exposure of internal servers. A request of the form: GET @other.example.com/something.png HTTP/1.1 would get translated to a target of: http://images.example.com@other.example.com/s... This will cause the proxy to connect to the hostname "other.example.com", as the "images.example.com@" segment would be treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those expected, which could be a security exposure in some circumstances. The request-URI string in this example, "@other.example.com/something.png", is not valid according to the HTTP specification, since it neither an absolute URI ("http://example.com/path") nor an absolute path ("/path"). For future releases, the server has been patched to reject such requests, instead returning a "400 Bad Request" error. Actions: ======== Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. Affected users can update their configuration, or apply the patch from: http://www.apache.org/dist/httpd/patches/appl... For example, the above RewriteRule could be changed to: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P] to ensure the pattern only matches against paths with a leading "/"
http://svn.apache.org/viewvc?view=revision&revision=1179239
I'm at it. This is planned-updates?
Yes, it's only planned updates for now.
together with https://bugzilla.novell.com/show_bug.cgi?id=719236 identical package submission: SUSE:SLE-11-SP1:Update:Test request id 15511 SUSE:SLE-11-SP2:GA request id 15510 reassigned to security-team@ for handling. Thank you!
The SWAMPID for this issue is 43597. This issue was rated as moderate. Please submit fixed packages until 2011-10-24. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
the rewrite rule needs to be within a VirtualHost tag, but not within a Directory tag. Also use: telnet frisch.suse.de 80 GET @www.suse.de/foo.png which should npot give the www.suse.de 404 page.
(it seems under most conditions we test that the "invalid uri" checker in server/core.c ap_core_translate() is activated already and captures this problem.)
test case I did use: before: ------- telnet frisch.suse.de 80 Trying 10.10.3.191... Connected to frisch.suse.de. Escape character is '^]'. GET @merope.suse.de/foo.png <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Object not found!</title> <link rev="made" href="mailto:%5bno%20address%20given%5d" /> <style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]]>*/--></style> </head> <body> <h1>Object not found!</h1> <p> The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:%5bno%20address%20given%5d">webmaster</a>. </p> <h2>Error 404</h2> <address> <a href="/">merope.suse.de</a><br /> <span>Mon Oct 24 15:12:50 2011<br /> Apache/2.2.12 (Linux/SUSE)</span> </address> </body> </html> Connection closed by foreign host. after: ------ telnet sunrise.suse.de 80 Trying 10.10.4.1... Connected to sunrise.suse.de. Escape character is '^]'. GET @merope.suse.de/foo.png <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Object not found!</title> <link rev="made" href="mailto:%5bno%20address%20given%5d" /> <style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]]>*/--></style> </head> <body> <h1>Object not found!</h1> <p> The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:%5bno%20address%20given%5d">webmaster</a>. </p> <h2>Error 404</h2> <address> <a href="/">merope.suse.de</a><br /> <span>Mon Oct 24 15:14:50 2011<br /> Apache/2.2.12 (Linux/SUSE)</span> </address> </body> </html> Connection closed by foreign host.
package submitted to sle11-sp2:GA (change was already contained, but pdb entry for Description and Summary were changed) as request id 15867 same for sle11-sp1:Update:Test as request id 15868 sle10-sp4 as request id 15869, sle10-sp3 as request id 15870, obs 11.3 request id 89214 obs 11.4 request id 89213 apache 2.0 packages to SLES9-SP4 and SLES9-SP3-TERADATA all of the above are submissions that combine this bug with Bug 719236 - VUL-1: apache2: mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp except for sles9 apache-2.0, where mod_proxy_ajp, subject of bnc#719236, is not contained. Bug already assigned to security-team@ for further handling. Thank you, Roman.
This is an autogenerated message for OBS integration: This bug (722545) was mentioned in https://build.opensuse.org/request/show/89213 11.4 / apache2 https://build.opensuse.org/request/show/89214 11.3 / apache2 https://build.opensuse.org/request/show/89218 Evergreen:11.2 / apache2
its somehow half fixed. $ telnet sunrise.suse.de 80 GET @www.suse.de/foo.png ... content of www.suse.de 404 page ... $ the access.log on sunrise has: 10.10.0.233 - - [25/Oct/2011:13:22:56 +0200] "GET @www.suse.de/foo.png" 404 16006 "-" "-" the error.log on sunrise has: [Tue Oct 25 13:22:56 2011] [error] [client 10.10.0.233] invalid request-URI @www.suse.de/foo.png but the request got delivered anyway...
I think the fix does not handle 0.9 http requests. I mailed dev@httpd.apache.org.
This is an autogenerated message for OBS integration: This bug (722545) was mentioned in https://build.opensuse.org/request/show/89273 11.3 / apache2 https://build.opensuse.org/request/show/89274 11.4 / apache2
Plüm, Rüdiger mailed back a testpatch to fix this. needed a bit of adaption to the 2.2.12 apache codebase in sle11 sp1
Created attachment 458755 [details] protocol-incremental.patch adjusted patch that also forwardports the error condition ahndling in the caller.
re-submitted to sle11-sp1,2, sle10-sp3,4, sles9-SP3-TERADATA, obs 11.2,3 and Evergreen:11.2:Test.
The incremental fix was not required for 2.2.18 and later according to dev@httpd.apache org, as it is caught otherwise.
This is an autogenerated message for OBS integration: This bug (722545) was mentioned in https://build.opensuse.org/request/show/89414 11.3 / apache2 https://build.opensuse.org/request/show/89415 11.4 / apache2
on SLE-10-SP4 after adding this to line to a config restart of apache shows the following error. rcapache2 restart Module "imap" is not installed, ignoring. Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Syntax error on line 95 of /etc/apache2/vhosts.d/foobar.conf: Invalid command 'ProxyPassMatch', perhaps misspelled or defined by a module not included in the server configuration looks like SLE-10-SP4 could not handl the ProxyPassMatch. Or is a package or config missing. same config worked on SLE-11-SP1 What I did: did copy vhost.template and renamed it to foobar.conf in dir:/etc/apache2/vhosts.d RewriteEngine on RewriteRule (.*)\.(jpg|gif|png) http://leo.suse.de$1.$2 [P] ProxyPassMatch (.*)\.(jpg|gif|png) http://leo.suse.de/$1.$2
ProxyPassMatch is only available since apache version 2.2.5 (http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassmatch)
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
https://community.qualys.com/blogs/securitylabs/tags/cve-2011-4317 http://www.gossamer-threads.com/lists/apache/dev/405528 There is another variant of this bug which has been assigned CVE-2011-4317.
the incremental fix was assigned CVE-2011-3639.
This is an autogenerated message for OBS integration: This bug (722545) was mentioned in https://build.opensuse.org/request/show/94080 12.1 / apache2
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo Products: openSUSE 11.4 (debug, i586, x86_64)
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
released
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
This is an autogenerated message for OBS integration: This bug (722545) was mentioned in https://build.opensuse.org/request/show/150193 Maintenance / https://build.opensuse.org/request/show/150241 Maintenance / https://build.opensuse.org/request/show/150242 Evergreen:11.2 / apache2
openSUSE-SU-2013:0243-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 722545,757710,777260,788121,789828,798733 CVE References: CVE-2011-3368,CVE-2011-4317,CVE-2012-0883,CVE-2012-2687,CVE-2012-4557 Sources used: openSUSE 12.1 (src): apache2-2.2.21-3.9.1
This is an autogenerated message for OBS integration: This bug (722545) was mentioned in https://build.opensuse.org/request/show/155176 Evergreen:11.2 / apache2
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64) SLES4VMWARE 11-SP1-LTSS (i386, x86_64)