Apache HTTPD mod_proxy Security Bypass (Dec 2, 2011)

The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

One of the official plug-in modules is the mod_proxy module. As all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to let Apache HTTP server run as a forward or reverse proxy for FTP, HTTP, and HTTPS. The proxy functionality can be turned on by its relevant configuration directives. And users would typically send an HTTP request to a web server which will then be forwarded to the appropriate backend servers.

HTTP is a request/response protocol commonly used by HTTP Server. HTTP uses Uniform Resource Identifiers (URIs) to locate the web pages. A typical HTTP request with URI is showed be below:

 GET /test/index.html HTTP/1.1 HOST: 

A policy bypass vulnerability exists in Apache HTTP server. The vulnerability is due to a design weakness in Apache reverse proxy module mod_proxy when configured in a specific manner. The code may fail to sufficiently sanitize the Request-URI in an HTTP request in this case. As a result, the internal web server which should not be accessible to external users will be accessed through the Reverse Proxy server.

SonicWALL UTM team has researched this vulnerability and released the following IPS sigantures:

  • 3105 Apache HTTPD mod_proxy Security Bypass 1
  • 3132 Apache HTTPD mod_proxy Security Bypass 2

The vulnerability has been referred by CVE as CVE-2011-3368.