httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317)
Date Tue, 10 Jan 2012 15:50:37 GMT
On Fri, Dec 16, 2011 at 7:35 PM, William A. Rowe Jr.
<wrowe@rowe-clan.net> wrote:
> On 12/16/2011 3:13 AM, Joe Orton wrote:
>> On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote:
>>> On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton <jorton@redhat.com> wrote:
>>>> Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
>>>> against certain mod_proxy/mod_rewrite configurations.  A new CVE name,
>>>> CVE-2011-4317, has been assigned to this variant.
>>>>
>>>> The configurations in question are the same as affected by -3368, e.g.:
>>>>
>>>>  RewriteRule ^(.*) http://www.example.com$1 [P]
>>>>
>>>> and the equivalent ProxyPassMatch.  Request examples are:
>>>>
>>>>  GET @localhost::8880 HTTP/1.0\r\n\r\n
>>>>  GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n
>>>
>>> These appear to not apply to 2.0.x because of a difference in URI
>>> parsing between apr-util 0.9.x and apr-util 1.something.x.
>>>
>>> Has anyone else tried that on 2.0.x?
>>
>> Tomas Hoger tracked this down to a change to apr_uri_parse(), see here:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8
>>
>> The referenced change is in APR-util version 1.2.13, so httpd is not
>> vulnerable if using APR-util 1.2.12 or older versions.
>
> Can we determine this to be errant behavior in apr_uri_parse?

I think we can for at least a couple of these.  In fact I assumed
based on the httpd 2.0 assessment pointed to earlier that the two URIs
already were rejected, and so I expected these two URIs to fail to
parse with apr-util 0.9.  But no such luck:

Index: testuri.c
===================================================================
--- testuri.c	(revision 1229335)
+++ testuri.c	(working copy)
@@ -51,6 +51,14 @@
         APR_EGENERAL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0
     },
     {
+        "@127.0.0.1::8880",
+        APR_EGENERAL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0
+    },
+    {
+        "qlalys:@127.0.0.1",
+        APR_EGENERAL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0
+    },
+    {
         "http://[::127.0.0.1]:9999/asdf.html",
         0, "http", "[::127.0.0.1]:9999", NULL, NULL, "::127.0.0.1",
"9999", "/asdf.html", NULL, NULL, 9999
     },

(perhaps I botched the URIs; spending 30 minutes on this every 2 weeks
isn't working well for me :( )

Mime
View raw message