RE: How to fix Apache HTTPD Unauthenticated/Open Web Proxy Vulnerability?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you for pointing it out.
After turning off the ProxyRequests and making one change within the below snippet resolved the Qualys vulnerabilities 62002 and 62054.

<Directory "${SRVROOT}/cgi-bin">
AllowOverride None
Options None
Require all denied
</Directory>

We made sure it doesn't break the integration we had with Apache HTTPD. Thanks again.

 

From: Eric Covener <covener@xxxxxxxxx>
Sent: Friday, September 27, 2024 7:16 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] How to fix Apache HTTPD Unauthenticated/Open Web Proxy Vulnerability?

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

 


I suspect you are not running a forward proxy on purpose, so you should not have "ProxyRequests ON" in your configuration.  You should just test without this, remove the other additions, and move on.

 

If you're running a forward proxy on purpose, you have to restrict who can access it (and what hosts it can access).  You need to be able to test it as you go. You seem to have a combination of different access control snippets, including deprecated ones like "order" and "allow" and an unnecessary authconfig.  I suggest starting over based on how you expect to limit users -- are you going to maintain a htpasswd entry for each user?  Or use "require" to allow IP ranges or domains?  Again, you need to be able to test this as you go.

 

 

On Fri, Sep 27, 2024 at 7:31AM Shinde, Pramod K <PShinde@xxxxxxxxxxxx.invalid> wrote:

Hello,

We are using Apache HTTPD 2.4.53 for an internal content management system. It is not customer-facing. The security solution considers the proxy vulnerable to an "Unauthenticated/Open Web Proxy Detected" vulnerability. After many back and forths with them to check if it's a false positive, we still made these changes in httpd.conf file as per this Apache documentation https://httpd.apache.org/docs/current/howto/auth.html

 


Do you think this is the fix for the above-mentioned vulnerabilities? The reason to ask here is that Qualys doesn't provide any CVE and asks us to confirm from Apache.

This is the solution given by Qualys, which we tried to apply within httpd.conf. Let me know if we misunderstood:

SOLUTION:
Configure your proxy server to only allow connections from valid users/hosts within your internal network, or to require authentication in order
to use the proxy services. If you need more assistance on how to do this, please contact the vendor of the proxy software.




=================Vulnerability Details==============
62054- Unauthenticated/Open Web Proxy Detected (External)
62002- Unauthenticated/Open Web Proxy Detected
IMPACT:
Successful exploitation may allow unauthorized users to browse the Internet with your IP address , your Intranet and Web server. This may also be
exploited to scan non-http services inside your firewall.
SOLUTION:
Reconfigure your proxy.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RREESSUULLTTSS::
GET http://QualysScannerApplianceIP:32943/ HTTP/1.0
======================

Here is how we made the changes in Apache's httpd.conf file

Code:



#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AllowOverride AuthConfig
 
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
    Order allow,deny
    Allow from corpr.company_domain.local
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen

</Directory>


# Mod_Proxy Settings
 <VirtualHost *>
   ProxyRequests On
   ProxyTimeout 3600
   ProxyPreserveHost On
   
   <Proxy *>
      Order deny,allow
                Deny from all
                Allow from corpr.company_domain.local
   </Proxy>
</VirtualHost>
ProxyPass         /fontoxml  http://localhost:9191/fontoxml
ProxyPassReverse  /fontoxml  http://localhost:9191/fontoxml

ProxyPass         /api/fonto/proxy/spell-checker  http://localhost:6050
ProxyPassReverse  /api/fonto/proxy/spell-checker http://localhost:6050

ProxyPass         /api/fonto  http://localhost:9191/api/fonto
ProxyPassReverse  /api/fonto http://localhost:9191/api/fonto

#QID 12680: HTTP TRACE / TRACK Methods Enabled
TraceEnable off

 

Confidentiality Warning: This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately and delete this original message and any copy of it from your computer system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this email is strictly prohibited. Disclaimer: This email may contain information that is intended to lend technical knowledge and support to the recipient. Laws, regulations, and best practices change, and the observations and comments drawn today may not apply to laws, regulations, or best practices as they may be in the future. Any recommendations made by J. J. Keller staff are offered in strictly an advisory capacity and are not to be construed as legal advice. Recipients seeking legal advice should consult with legal counsel. J. J. Keller & Associates, Inc. P. O. Box 368, Neenah, WI 54957-0368


 

--

Eric Covener
covener@xxxxxxxxx

Confidentiality Warning: This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately and delete this original message and any copy of it from your computer system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this email is strictly prohibited. Disclaimer: This email may contain information that is intended to lend technical knowledge and support to the recipient. Laws, regulations, and best practices change, and the observations and comments drawn today may not apply to laws, regulations, or best practices as they may be in the future. Any recommendations made by J. J. Keller staff are offered in strictly an advisory capacity and are not to be construed as legal advice. Recipients seeking legal advice should consult with legal counsel. J. J. Keller & Associates, Inc. P. O. Box 368, Neenah, WI 54957-0368

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux