Specialists serving server Apache, warn that their HTTP daemon is vulnerable to exploits that give an attacker a chance to send a special team to address the internal servers.
Vulnerability in version 1.3 and all the second version can be used only under certain conditions. For example, the server must be running in reverse proxy mode, which is often used for load balancing and for the separation of static and dynamic content. But even in this case, the internal systems are susceptible to third-party access only when using certain rewrite rules.
And, nevertheless, vulnerable configuration uses a reverse proxy often enough to give professionals a reason to release Apache service in this environment a number of tips that recommend users to check their systems and find out whether they are subject to risks.
“Using a RewriteRule directive or ProxyPassMatch to configure reverse proxy on a template, you can inadvertently expose internal servers to the risk of remote users who send requests for specially designed” – read as advice. “The server does not check whether the string passed in the pattern string is really the way, so that the template can be extended to non-target URL”.
The vulnerability reported firm Context Information Security, an advisory agency for information security, with offices located in London and other cities. In the blog, company researchers said that the vulnerability could be used to gain access to extremely sensitive demilitarized zones organizations that should be accessible only to trusted users.
“We can get access to the internal / DMZ system which has access to the proxy, including the administration interfaces of firewalls, routers, servers, databases, etc.” – they wrote.
“We have made great strides in the attack. After verification of powers in the low-end systems, and allows you to jeopardize an entire network, including the ability to upload files to servers Trojan War JBoss”.
In a press release, researchers announced the company that other web servers and proxies may be susceptible to exploits.
Apache has released a patch for those who compile their own build server. Not surprisingly, if the Linux distributions released their own update in a few days. Advisory of Apache also contains proposals for rewriting the rules of the proxy, which can prevent the effect of the attack.
Security researcher Dan Rosenberg echoes the warnings and said that the damage caused by poorly configured proxy can be catastrophic and that the risk may extend well beyond the Apache.
“At worst, it could turn into something that attackers will be able to read sensitive data from internal resources,” – he wrote in an email. “I would not be too surprised if it turned out that the mechanisms of a reverse proxy to other servers were also affected, but the bug is very specific in terms of its implementation, so that without checking for sure say it is impossible.”