httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317)
Date Wed, 23 Nov 2011 15:53:46 GMT
 

> -----Original Message-----
> From: Joe Orton [mailto:jorton@redhat.com] 
> Sent: Mittwoch, 23. November 2011 15:23
> To: dev@httpd.apache.org
> Subject: [RFC] further proxy/rewrite URL validation security 
> issue (CVE-2011-4317)
> 
> Prutha Parikh from Qualys reported a variant on the 
> CVE-2011-3368 attack 
> against certain mod_proxy/mod_rewrite configurations.  A new 
> CVE name, 
> CVE-2011-4317, has been assigned to this variant.
> 
> The configurations in question are the same as affected by 
> -3368, e.g.:
> 
>  RewriteRule ^(.*) http://www.example.com$1 [P]
> 
> and the equivalent ProxyPassMatch.  Request examples are:
> 
>  GET @localhost::8880 HTTP/1.0\r\n\r\n
>  GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n
> 
> These unfortunately do not get trapped in the request parsing 
> trap added 
> in r1179239, so result in an input to rewrite rule processing 
> which does 
> not match the URL-path grammar (i.e. does not start with "/").
> 
> We could try improve that fix, but I think it would be 
> simpler to change 
> the translate_name hooks in mod_proxy and mod_rewrite to enforce the 
> requirement in the "right" place.  Other translate_name hooks do this 
> already.
> 
> I propose the patch below.  Any comments?

+1. Go ahead with the patch.
One comment though: Shouldn't we check r->unparsed_uri as well (at least
in the proxy case, as it may be used by ap_proxy_trans_match instead of r->uri)?

Regards

Rüdiger


Mime
View raw message