Apache Friends Support Forum

[Sharley]

Apache hole allows attackers to access internal servers. Apache 1.3 and all series 2 versions up to 2.2.20 are affected. As a workaround, an extra slash can be added to the rewrite rule. In addition, the Apache Foundation has already released a patch for version 2.2.21 that will fix the problem.

QUESTION IS:
Will this patch be integrated into the 2.2.21 version included in the current version anytime soon?

[Sharley]

Thanks for making us aware of this issue.

As a workaround, an extra slash can be added to the rewrite rule.

If using the mod_rewrite rule and it affects you or any other reader then use this workaround until the developer makes a decision ( the developer has been made aware of this issue and your post ).

Click enabled link:
http://www.h-online.com/security/news/i ... 55890.html

[Sharley]

It has been suggested to the developer that a new XAMPP 1.7.8 version be released. which will included a new Apache version with the patch included.

Will keep you all posted as soon as I hear anything definite.

[Sharley]

The developer kvo has provided the follow information re this security issue.

The security problem in Apache:
This from the above link:
"Apache 1.3 and all series 2 versions up to 2.2.20 are affected".
So Apache 2.2.21 in XAMPP 1.7.7 is NOT affected.

If you are running an older XAMPP version then, if possible, it may be advisable to install the latest 1.7.7 version.

Best wishes.

[hackattack142]

By the description of the vulnerability both here and at the link, it appears you are talking about this one (via: http://httpd.apache.org/security/vulner ... es_22.html)

Code: Select all

    moderate: mod_proxy reverse proxy exposure CVE-2011-3368

    An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker.

    Acknowledgements: This issue was reported by Context Information Security Ltd
    Reported to security team: 16th September 2011
    Issue public: 5th October 2011
    Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0

As noted, 2.2.21 is vulnerable and it has been fixed in the 2.2.22 development build. I would wait until Apache issues a final build before including a new version in XAMPP.

[Sharley]

As a workaround, an extra slash can be added to the rewrite rule.

If using the mod_rewrite rule and it affects you or any other reader then use this workaround until the developer makes a decision ( the developer has been made aware of this issue and your post ).

The security hole comes only if you
a) have a rewrite rule (mod_rewrite must be activated) with...

b) ...a proxy pass (mod_proxy must be activated) to a hidden not public server mostly in your Intranet area.

For example: The publicly visible address 'other.example.com' gets all images over the internal image server 'images.example.com'.

RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2

Full details from this article and for sound advise re. reviewing any existing rewrite rules:
http://www.apachelounge.com/viewtopic.php?p=19415


Seems most people can fix the problem by themselves in the Apache configuration with a beginning Slash in the RewriteRule as I pointed out already.

For example:
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]

Or even better, do not configure Apache for a URL rewrite with an Apache proxy pass to connect an insecure Intranet server behind your firewall.
Perhaps you will be able yo do this with the coming final Apache 2.2.22 version. Perhaps ...

I think that most Apache servers do not have a redirect with a proxy pass to a 'hidden Intranet' server like the image server in the example above. So this leak could be a very limited problem.

Implementing a new XAMPP version with patches is no quick and easy operation, so when the next Apache release goes final it will induce a new XAMPP release when time permits.

[Sharley]

To the OP:

QUESTION IS:
Will this patch be integrated into the 2.2.21 version included in the current version anytime soon?

ANSWER IS:
No, a patch will not be integrated into the Apache 2.2.21 server that is included in XAMPP 1.7.7 but when the next Apache version 2.2.22 is final then, time permitting, shortly after a new XAMPP version will be released.

Best wishes.