Prutha Parikh, vulnerability signature engineer at Qualys, blogged that she uncovered the issue while creating a QualysGuard vulnerability signature for another reverse proxy issue, detailed in CVE-2011-3368. While reviewing the patch for the older bug, she discovered it was still possible to use a crafted request to exploit a fully-patched Apache Web Server.
In the proof-of-concept demonstrations detailed here in her blog post, Parikh outlined two examples where an Apache Web Server (version 2.2.21) with the CVE-2011-3368 patch applied, a reverse proxy set up and incorrectly configured RewriteRule/ProxyPassMatch rules could be compromised by an attacker looking to circumvent security mechanisms.
“The patch for CVE-2011-3368 is straight forward and self explanatory,” she blogged. “The “server/protocol.c” file was modified. The patch looks at the request being sent and returns a HTTP 400 Response (Bad Request) if the URL does not begin with a forward slash “/”.”
“This part of the code takes care of the issue for CVE-2011-3368,” she continued.
However, a closer analysis of the patch reveals it does not process URIs (uniform resource identifiers) that have a scheme, she added.
As a result, “if a malformed URL request with a scheme was constructed, it would still be possible to bypass security and gain access to systems on the internal server provided that the reverse proxy rules were incorrectly configured,” she wrote.
Apache developers are working on a fix to address the issue.