The Apache HTTP Server is a freely available Web server. The Apache HTTP Server ("httpd") is a project of The Apache Software Foundation.
Depending on the reverse proxy configuration, Apache HTTP Server is prone to a vulnerability that could allow access to internal systems from the Internet. If a malformed URL request with a scheme was constructed, it would be possible to bypass security.
Successful exploitation requires the use of “ProxyPassMatch” and “RewriteRule” configuration directives with a certain pattern match.
This problem was confirmed in the following versions of Apache HTTP Server but other versions may be also affected.
Apache HTTP Server 2.2.21
Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when Revision 1179239 patch is in place
Apache addressed the vulnerability in Apache HTTP Server Version 2.2.22 (http://httpd.apache.org/security/vulnerabilities_22.html)
CVSS Scoring System
The CVSS score is: 4.3
Base Score: 4.3
Temporal Score: 3.4
We used the following values to calculate the scores:
Base score is: AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal score is: E:POC/RL:O/RC:C
TRIGGERING THE PROBLEM
To trigger the problem, the following two proof of concepts can be used.
GET @localhost::<PORT>, where <PORT> is any port number being requested.
GET <random_string>:@<internalservername>, where <random_string> is any string, <internalservername> is the domain of an internal server being requested.
Example for POC1:
GET @localhost::8880 HTTP/1.0\r\n\r\n
Upon receiving the request, Apache translates the URL by applying the rewrite rules. The "uri" extracted is ":8880" which gets appended, resulting in the URL http://www.example.com:8880. The "uri" extracted in this case is everything following the first occurence of the colon (:) in the request. Since the crafted request has 2 colons (::), the second colon is treated as being part of the URI.
So, if www.example.com has something running on port 8880, a malicious user has gained access to the page.
Example for POC2:
GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n
Upon receiving the request, Apache translates the URL by applying the rewrite rules. The "uri" extracted is "@qqq.qq.qualys.com" which gets appended, resulting in the URL http://email@example.com. The "uri" extracted in this case is everything following the first occurence of the colon (:) in the request.
This is treated as <username>@<host> giving access to <host> if no authentication is required.
In order to exploit this vulnerability, a malicious user either needs to identify an open port on an internal server and send a crafted request as shown in Example for POC1 or create a malformed request with an internal server as shown in Example for POC2.
This vulnerability was discovered by Prutha Parikh, Qualys Vulnerability Signature/Research Team.