RE: CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

We are experiencing the effect that a RewriteRule resulting in R (redirect) are blocked (403) with AH10410 despite being encoded before 2.4.56 (the resulting Location header was ok). Is this change intentional?

Example:
RewriteRule		^/here/([^/]+)(/.*)$	http://example.com:8080/elsewhere/?base=$1&target=$2 [R,QSA,L]

We are evaluating this workaround:
[R,B,BNP,NE,QSA,L]

This results in encoded slashes which is not necessary. Any ideas how to achieve the previous result?

Tested on the Ubuntu 22.04 and 20.04 backport of this fix.

Thanks,
Thomas Å.


On 2023/03/07 12:55:07 Eric Covener wrote:
> 
> Severity: important
> 
> Description:
> 
> Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
> 
> 
> 
> 
> Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
> or ProxyPassMatch in which a non-specific pattern matches
> some portion of the user-supplied request-target (URL) data and is then
> re-inserted into the proxied request-target using variable 
> substitution. For example, something like:
> 
> 
> 
> 
> RewriteEngine on
> RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1"; http://example.com:8080/elsewhere ; [P]
> ProxyPassReverse /here/  http://example.com:8080/ http://example.com:8080/ 
> 
> 
> Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.
> 
> Credit:
> 
> Lars Krapf of Adobe (finder)
> 
> References:
> 
> https://httpd.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2023-25690
> 
> Timeline:
> 
> 2023-02-02: reported
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux