Hello,
We are using Apache HTTPD 2.4.53 for an internal content management system. It is not customer-facing. The security solution considers the proxy vulnerable to an "Unauthenticated/Open Web Proxy Detected" vulnerability. After many back
and forths with them to check if it's a false positive, we still made these changes in httpd.conf file as per this Apache documentation https://httpd.apache.org/docs/current/howto/auth.html
Do you think this is the fix for the above-mentioned vulnerabilities? The reason to ask here is that Qualys doesn't provide any CVE and asks us to confirm from Apache.
This is the solution given by Qualys, which we tried to apply within httpd.conf. Let me know if we misunderstood:
SOLUTION:
Configure your proxy server to only allow connections from valid users/hosts within your internal network, or to require authentication in order
to use the proxy services. If you need more assistance on how to do this, please contact the vendor of the proxy software.
=================Vulnerability Details==============
62054- Unauthenticated/Open Web Proxy Detected (External)
62002- Unauthenticated/Open Web Proxy Detected
IMPACT:
Successful exploitation may allow unauthorized users to browse the Internet with your IP address , your Intranet and Web server. This may also be
exploited to scan non-http services inside your firewall.
SOLUTION:
Reconfigure your proxy.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RREESSUULLTTSS::
GET http://QualysScannerApplianceIP:32943/ HTTP/1.0
======================
Here is how we made the changes in Apache's httpd.conf file
|
Code:
|
|
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AllowOverride AuthConfig
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
Order allow,deny
Allow from corpr.company_domain.local
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen
</Directory>
# Mod_Proxy Settings
<VirtualHost *>
ProxyRequests On
ProxyTimeout 3600
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Deny from all
Allow from corpr.company_domain.local
</Proxy>
</VirtualHost>
ProxyPass /fontoxml http://localhost:9191/fontoxml
ProxyPassReverse /fontoxml http://localhost:9191/fontoxml
ProxyPass /api/fonto/proxy/spell-checker
http://localhost:6050
ProxyPassReverse /api/fonto/proxy/spell-checker
http://localhost:6050
ProxyPass /api/fonto http://localhost:9191/api/fonto
ProxyPassReverse /api/fonto http://localhost:9191/api/fonto
#QID 12680: HTTP TRACE / TRACK Methods Enabled
TraceEnable off
|
Confidentiality Warning: This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately
and delete this original message and any copy of it from your computer system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this email is strictly prohibited.
Disclaimer: This email may contain information that is intended to lend technical knowledge and support to the recipient. Laws, regulations, and best practices change, and the observations and comments drawn today may not apply to laws, regulations, or best
practices as they may be in the future. Any recommendations made by J. J. Keller staff are offered in strictly an advisory capacity and are not to be construed as legal advice. Recipients seeking legal advice should consult with legal counsel. J. J. Keller
& Associates, Inc. P. O. Box 368, Neenah, WI 54957-0368
