httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Germer, Carsten" <carsten.ger...@desy.de>
Subject [users@httpd] Security glitch with Rewrite and Proxy
Date Thu, 28 Sep 2006 14:39:09 GMT
Hello everyone!

I hope there is someone out there who can help with this or can point me
out to someone who might be able to...
We use Scientific Linux IV (based on Redhat Enterprise 4) and Apache
2.2.3-1i386 (RPM from Apache)

Here is the snippet from my virthost
  RewriteEngine on
  # Block every IP that is not from DESY
  RewriteCond %{HTTP:ORIGCLIENTADDR} ^131\.169\.* [OR]
  RewriteCond %{HTTP:ORIGCLIENTADDR} ^141\.34\.*
  RewriteRule ^(.*) http://localhost:8080/sites/mysite$1 [P,L]
  RewriteRule ^(.*) http://www.desy.de/ [L]

(Info: ORIGCLIENTADDR is a variable set by our loadbalancer to use for
rewriting and logging purposes.)

a.)
If I send a request to "/" from a machine with the IP 192.76.172.251 the
virthostlog shows this
192.76.172.251 - - [28/Sep/2006:15:44:16 +0200] "GET / HTTP/1.0" 302 269
"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7)
Gecko/20060909 Firefox/1.5.0.7"
As expected he or she sees http://www.desy.de/ and I have the
corresponding line in the RewriteLog.

b.)
If now someone with a matching IP-Adress requests "/" he or she gets
correctly redirected to "localhost:8080/..." and get's the page and
elements from the underlying content management system.
virthostlog and rewritelog show that everything works as expected.

c.)
NOW, if I repeat step a.) suddenly the virthostlog shows
192.76.172.251 - - [28/Sep/2006:15:40:17 +0200] "GET / HTTP/1.0" 200
16173 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7)
Gecko/20060909 Firefox/1.5.0.7"
and there is not even a single line in the RewriteLog!

Why does apache suddenly serve out "/" without even running into the
RewriteConds? Where does Apache fetch it from? As it seems Apache
completely overrides my RewriteBlock causing a security risk to our
data.

This is quite serious trouble here at the WebOffice and I am completely
out of ideas.
I have tried rewriting the RewriteBlock in several ways but the outcome
is always the same. It works so far but in case of c.) it doesn't even
get touched -> no line in the RewriteLog...

Oh, one thing, I've checked the underlying CMS, too, it's not giving out
stuff "through the backdoor".

Tired an puzzled greetings /Carsten

------------------------------------------------------------------------
Carsten Germer         Deutsches Elektronen Synchrotron (Web-Office, IT)
phone:  +49-40-8998-1661                                    Notkestr. 85
web: http://wof.desy.de                                    22607 Hamburg
e-mail: carsten.germer@desy.de                                   Germany
------------------------------------------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message