Heap-um big hole in Apache

Insecurity experts from Qualys say that they have found a yet-to-be-patched flaw discovered in the Apache HTTP server which allows attackers to access protected resources on the internal network.

All it takes for “goodnight Vienna” to take place on the network is for some rewrite rules not to be defined properly. Then, the next thing you know, the hackers are inside the server, putting their muddy paws on the sofa, drinking your booze and watching pay-per-view porn on your flat screen.

The vulnerability hits Apache installations that operate in reverse proxy mode. This is a configuration used for load balancing, caching and other operations that use multiple servers.

Apparently to set up Apache HTTPD to run as a reverse proxy, server administrators use specialised modules like mod_proxy and mod_rewrite.

But Qualys warns that if certain rules are not configured correctly, attackers can trick servers into performing unauthorised requests to access internal resources.

The problem has been around for a while as a patch was issued for something similar in October.

However, while reviewing the patch Qualys boffin Prutha Parikh twigged that it can be bypassed due to a bug in the procedure for URI (Uniform Resource Identifier) scheme stripping.

You have to know what you are doing, the fault was something to do with the “URI part that comes before the colon” and if you have not mastered your colon you could find yourself in more hot water than your Apache server configuration.

Apache has had a pow-wow about it and “Dancers with Servers” has been allocated to have a look at it.

At the moment, they are not sure about whether it’s better to strengthen the previous patch in the server code in order to reject such requests or something a little heavier. The worry is that by tinkering with one branch of the code, they could be leaving open another hole somewhere else.