Apache reverse proxy bug allows compromising internal system
Apache team is working on fixing a new vulnerability that allows an attacker from internet to have an internal access to the system. This zero day is reported by Prutha Parikh from Qualys.
On a blog post published there are 2 examples on how to exploit this vulnerability with a fully patched Apache Web Server (Version 2.2.21). The crafted requests look as follows:
GET @localhost::8880 HTTP/1.0\r\n\r\n
GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n
As there still no patch available it is important to apply the workaround mentioned on the blog especially that exploiting this zero day is now available for any user.
[…] Apache reverse proxy bug allows compromising internal system: http://www.sectechno.com/2011/11/25/apache-reverse-proxy-bug-allows-compromising-internal-system/ […]