Apache HTTPD mod_proxy Security Bypass (Dec 2, 2011)


The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

One of the official plug-in modules is the mod_proxy module. As all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to let Apache HTTP server run as a forward or reverse proxy for FTP, HTTP, and HTTPS. The proxy functionality can be turned on by its relevant configuration directives. And users would typically send an HTTP request to a web server which will then be forwarded to the appropriate backend servers.

HTTP is a request/response protocol commonly used by HTTP Server. HTTP uses Uniform Resource Identifiers (URIs) to locate the web pages. A typical HTTP request with URI is showed be below:

 GET /test/index.html HTTP/1.1 HOST: www.example.com 

A policy bypass vulnerability exists in Apache HTTP server. The vulnerability is due to a design weakness in Apache reverse proxy module mod_proxy when configured in a specific manner. The code may fail to sufficiently sanitize the Request-URI in an HTTP request in this case. As a result, the internal web server which should not be accessible to external users will be accessed through the Reverse Proxy server.

SonicWALL UTM team has researched this vulnerability and released the following IPS sigantures:

  • 3105 Apache HTTPD mod_proxy Security Bypass 1
  • 3132 Apache HTTPD mod_proxy Security Bypass 2

The vulnerability has been referred by CVE as CVE-2011-3368.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.