Reverse proxy bypass
Description
A URL parsing vulnerability exists in Apache HTTP Server versions 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 when mod_proxy is configured with RewriteRule or ProxyPassMatch directives for reverse proxying. The vulnerability allows attackers to bypass intended proxy restrictions by crafting malicious URIs that begin with an @ (at sign) character. This character is interpreted as a credential separator in URLs, causing the proxy to redirect requests to unintended internal or external hosts instead of the configured destination server.
Remediation
Administrators should immediately review all Apache HTTP Server reverse proxy configurations and apply one of the following remediation strategies:
1. Update Configuration (Recommended):
Modify RewriteRule and ProxyPassMatch directives to include a leading forward slash in the pattern, ensuring only valid paths are matched. For example:
Vulnerable configuration:
RewriteRule (.*)\.jpg$ http://images.example.com$1.jpg [P] ProxyPassMatch (.*)\.jpg$ http://images.example.com$1.jpg
Secure configuration:
RewriteRule ^/(.*)\.jpg$ http://images.example.com/$1.jpg [P] ProxyPassMatch ^/(.*)\.jpg$ http://images.example.com/$1.jpg
The caret (^) anchors the pattern to the beginning, and the leading slash ensures only valid path requests are processed.
2. Upgrade Apache:
Update to Apache HTTP Server version 2.2.22 or later, which includes fixes for CVE-2011-3368.
3. Verify Configuration:
Test the updated configuration by attempting to access resources using malformed URIs (e.g.,
GET @internal.host/resource HTTP/1.1) to confirm the vulnerability has been mitigated.