Bugtraq mailing list archives
mod_proxy problem in Apache v1.2b8
From: valgy () GNU AI MIT EDU (Valgamon)
Date: Mon, 28 Apr 1997 23:16:42 -0400
A little(?) problem I noticed in the eighth beta of Apache v1.2 Synopsis: When the proxy module is compiled into the server executable, and the access configuration file is set up for host-based denial, an attacker can still access the proxy and effectively appear to be coming from your host while browsing the web. This problem seems to be platform-independent. Background: I was testing Apache's viability as an alternative to the TIS Firewall Toolkit's HTTP proxy. The access.conf file had been correctly set to deny all hosts access to the proxy except for my testing machine, as follows: <Directory proxy:*> <Limit GET> order deny,allow deny from all allow from testing.machine.ip.address </Limit> </Directory> Yet it still allows any host to retrieve any website as long as you leave off the trailing forward slash from the GET request. When telnetting to the proxy port from hosts that should be denied access to the proxy, I issued two very similar GET requests and got two different results. GET http://www.yahoo.com <--- gives you the page!! It should not! GET http://www.yahoo.com/ <--- denies you, like it's supposed to. The only difference is that forward slash on the end of the 2nd request. The docs are very sparse in this area so I emailed apache-bugs () apache org. Chuck Murcko responded, confirming that this was indeed a new bug, and assured me that it will be fixed in 1.2b10. Temporary Fix: use a <File> block instead of <Directory>. -- Lou Rinaldi - Co-Founder of the Connecticut Free Unix Group (www.CFUG.org) "Many people equate the word 'daemon' with the word 'demon,' implying some kind of Satanic connection between UNIX and the underworld." -Evi Nemeth
Current thread:
- mod_proxy problem in Apache v1.2b8 Valgamon (Apr 28)
- Re: mod_proxy problem in Apache v1.2b8 Dean Gaudet (Apr 30)