Apache Security Patch for 2.2.21 : Will it be implemented?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Apache Security Patch for 2.2.21 : Will it be implemented?

Postby jchelpdeskwv » 14. October 2011 20:59

Apache hole allows attackers to access internal servers. Apache 1.3 and all series 2 versions up to 2.2.20 are affected. As a workaround, an extra slash can be added to the rewrite rule. In addition, the Apache Foundation has already released a patch for version 2.2.21 that will fix the problem.

QUESTION IS:
Will this patch be integrated into the 2.2.21 version included in the current version anytime soon?
Last edited by Sharley on 17. October 2011 10:44, edited 1 time in total.
Reason: A clickable link has been created in my posts below.
jchelpdeskwv
 
Posts: 1
Joined: 14. October 2011 20:53

Re: Apache Security Patch for 2.2.21 : Will it be implemente

Postby Sharley » 14. October 2011 21:55

Thanks for making us aware of this issue. 8)
jchelpdeskwv wrote:As a workaround, an extra slash can be added to the rewrite rule.
If using the mod_rewrite rule and it affects you or any other reader then use this workaround until the developer makes a decision ( the developer has been made aware of this issue and your post ).

Click enabled link:
http://www.h-online.com/security/news/i ... 55890.html
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Apache Security Patch for 2.2.21 : Will it be implemente

Postby Sharley » 15. October 2011 23:21

It has been suggested to the developer that a new XAMPP 1.7.8 version be released. which will included a new Apache version with the patch included.

Will keep you all posted as soon as I hear anything definite.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Apache Security Patch for 2.2.21 : Will it be implemente

Postby Sharley » 17. October 2011 10:53

The developer kvo has provided the follow information re this security issue.
kvo wrote:The security problem in Apache:
This from the above link:
"Apache 1.3 and all series 2 versions up to 2.2.20 are affected".
So Apache 2.2.21 in XAMPP 1.7.7 is NOT affected.
If you are running an older XAMPP version then, if possible, it may be advisable to install the latest 1.7.7 version.

Best wishes. :)
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Apache Security Patch for 2.2.21 : Will it be implemente

Postby hackattack142 » 17. October 2011 14:10

By the description of the vulnerability both here and at the link, it appears you are talking about this one (via: http://httpd.apache.org/security/vulner ... es_22.html)
Code: Select all
    moderate: mod_proxy reverse proxy exposure CVE-2011-3368

    An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.

    Acknowledgements: This issue was reported by Context Information Security Ltd
    Reported to security team: 16th September 2011
    Issue public: 5th October 2011
    Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

As noted, 2.2.21 is vulnerable and it has been fixed in the 2.2.22 development build. I would wait until Apache issues a final build before including a new version in XAMPP.
XAMPP Control Panel Developer
Latest CP: viewtopic.php?f=16&t=48932
hackattack142
 
Posts: 703
Joined: 20. May 2011 23:29
Operating System: Windows 7 Ultimate SP1 64-Bit

Re: Apache Security Patch for 2.2.21 : Will it be implemente

Postby Sharley » 18. October 2011 01:51

Sharley wrote:
jchelpdeskwv wrote:As a workaround, an extra slash can be added to the rewrite rule.
If using the mod_rewrite rule and it affects you or any other reader then use this workaround until the developer makes a decision ( the developer has been made aware of this issue and your post ).
The security hole comes only if you
a) have a rewrite rule (mod_rewrite must be activated) with...

b) ...a proxy pass (mod_proxy must be activated) to a hidden not public server mostly in your Intranet area.

For example: The publicly visible address 'other.example.com' gets all images over the internal image server 'images.example.com'.

RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2


Full details from this article and for sound advise re. reviewing any existing rewrite rules:
http://www.apachelounge.com/viewtopic.php?p=19415


Seems most people can fix the problem by themselves in the Apache configuration with a beginning Slash in the RewriteRule as I pointed out already.

For example:
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]

Or even better, do not configure Apache for a URL rewrite with an Apache proxy pass to connect an insecure Intranet server behind your firewall.
Perhaps you will be able yo do this with the coming final Apache 2.2.22 version. Perhaps ...

I think that most Apache servers do not have a redirect with a proxy pass to a 'hidden Intranet' server like the image server in the example above. So this leak could be a very limited problem.

Implementing a new XAMPP version with patches is no quick and easy operation, so when the next Apache release goes final it will induce a new XAMPP release when time permits.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Re: Apache Security Patch for 2.2.21 : Will it be implemente

Postby Sharley » 18. October 2011 02:23

To the OP:
jchelpdeskwv wrote:QUESTION IS:
Will this patch be integrated into the 2.2.21 version included in the current version anytime soon?
ANSWER IS:
No, a patch will not be integrated into the Apache 2.2.21 server that is included in XAMPP 1.7.7 but when the next Apache version 2.2.22 is final then, time permitting, shortly after a new XAMPP version will be released.

Best wishes. :)
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 72 guests