apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317)
Date Sat, 17 Dec 2011 00:35:59 GMT
On 12/16/2011 3:13 AM, Joe Orton wrote:
> On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote:
>> On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton <jorton@redhat.com> wrote:
>>> Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
>>> against certain mod_proxy/mod_rewrite configurations.  A new CVE name,
>>> CVE-2011-4317, has been assigned to this variant.
>>>
>>> The configurations in question are the same as affected by -3368, e.g.:
>>>
>>>  RewriteRule ^(.*) http://www.example.com$1 [P]
>>>
>>> and the equivalent ProxyPassMatch.  Request examples are:
>>>
>>>  GET @localhost::8880 HTTP/1.0\r\n\r\n
>>>  GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n
>>
>> These appear to not apply to 2.0.x because of a difference in URI
>> parsing between apr-util 0.9.x and apr-util 1.something.x.
>>
>> Has anyone else tried that on 2.0.x?
> 
> Tomas Hoger tracked this down to a change to apr_uri_parse(), see here:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8 
> 
> The referenced change is in APR-util version 1.2.13, so httpd is not 
> vulnerable if using APR-util 1.2.12 or older versions.

Can we determine this to be errant behavior in apr_uri_parse?




Mime
View raw message