Friday, December 2, 2011

Big Hole Found In Apache

Security experts claim they’ve discovered a yet-to-be-patched vulnerability in the Apache HTTP server. The hole, according to their claims, allows hackers to access protected resources within the internal network. Due to the importance of the issue, Apache developers gathered a conference where they tried to decide how to fix the problem.

All you need for “goodnight Vienna” to happen on the internal network is for some rewrite rules not to be configured correctly. Right after this you can see hackers inside the server doing whatever they want. The big hole hits Apache installations operating in reverse proxy mode – that’s what is used for load balancing, caching and many other operations using multiple servers.

The matter is that while trying to set up Apache HTTPD to work as a reverse proxy, server administrators have to use some specialized modules, such as mod_proxy or mod_rewrite. That’s where it happens: if some rules aren’t determined properly, hackers are able to trick servers into performing unauthorized requests in order to access internal resources. In fact, the trouble has been around for a while, because the patch was released to fix something similar last month.

Nevertheless, after security experts reviewed the patch in question, they realized that it can be easily bypassed thanks to a bug in the procedure for Uniform Resource Identifier scheme stripping. In other words, you have to clearly understand what you are doing, since the fault was something to do with the part of Uniform Resource Identifier coming before the colon. So, if you haven’t mastered your colon, it can become a problem with your Apache server configuration.

As for Apache, they’ve had a discussion about the outlined issue and the problem was allocated to have a look at it. Today the developers aren’t sure what will be better to do with the discovered vulnerability – either to strengthen the earlier released patch in the server code so that it could reject requests of this type or make up something a bit heavier. The reason why they can’t agree on details is the suggestion made by some experts who believe that tinkering with one branch of the code may also have negative consequences. For example, this move can lead to opening another hole somewhere else.


No comments: