LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Context warns of new reverse web proxy bypass vulnerability Print E-mail
User Rating:      How can I rate this item?
Source: Context Information Security - Posted by Administrator   
Network Security Apache releases security advisory following discovery of back door threat by researchers at Context Information Security October 6th 2011 - The Apache Software Foundation yesterday issued an advisory to all of its customers following the identification by researchers at UK-based Context Information Security of a new class of security vulnerability that could allow hackers to gain full internet access to internal or DMZ systems using insecurely configured reverse web proxies. Context alerted Apache to the weakness last month and has today published a blog detailing this new class of attack that it believes is likely to affect other web servers and proxies. The blog also provides advice to mitigate the risks:
http://www.contextis.com/research/blog/reverseproxybypass/

Reverse proxies are used to route external HTTP and HTTPS web requests to one of several internal web servers to access data and resources. Typical applications include load balancing, separating static from dynamic content, or to present a single interface to a number of different web servers at different paths.

While other proxies may suffer from the same vulnerability, the specific attack identified by Context researchers was based on an Apache web server using the mod_rewrite proxy function, which uses a rule-based rewriting engine to modify and rewrite web requests dynamically. When the web proxies had not been configured securely, Context was able to use an easy-to-obtain hacking tool in order to force a change in the request to access internal or DMZ systems, including administration interfaces on firewalls, routers, web servers and databases. And if credentials on internal systems were weak, a full network compromise was possible including uploading Trojan WAR files to a server.

The vulnerability can easily be mitigated by checking reverse proxy configurations to ensure that the rewrite rules cannot be abused to allow for the URLs to be rewritten in such a way that they can access internal systems. Context has also released the latest version of its free to download Context Application Tool (CAT) designed to deliver manual web application penetration testing that can be used to identify the vulnerability.

The difference between the two rules can be as simple as adding an extra slash, which ensures that Apache does not interpret the domain and port parts of the request as a username and password. For example, if the Apache configuration file is configured like this:
RewriteRule ^(.*) http://internalserver:80$1 [P], and not like this:
RewriteRule ^(.*) http://internalserver:80/$1 [P], then access from the internet to any internal system is possible.

In its advisory to customers, Apache recommends that Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. The full Apache response can be viewed at http://seclists.org/fulldisclosure/2011/Oct/232

"This latest vulnerability present is a potential back door to sensitive internal or DMZ systems but is totally avoidable if the reverse proxies are properly configured," said Michael Jordon, Research and Development Manger at Context Information Security. "We have not investigated other web servers and proxies but it is reasonable to assume that the problem is more widespread." Full details of the reverse proxy bypass vulnerability with link to download the free Context Application Tool are published on the Context web site at http://www.contextis.com/

About Context

Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company’s client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.
email: blogs[at]contextis[dot]com
www.contextis.com

For more information for editors, please contact:
Peter Rennison / Allie Andrews
PRPR,
Tel: + 44 (0)1442 245030 / 07831 208109
Email: pr[at]prpr[dot]co.uk / allie[at]prpr[dot]co.uk

Distributed on behalf of PRPR by NeonDrum news distribution service (http://www.neondrum.com)

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
USB is now UEC (use with extreme caution)
iPhone Encryption and the Return of the Crypto Wars
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.