Apache reverse proxy bug allows compromising internal system

Apache team is working on fixing a new vulnerability that allows an attacker from internet to have an internal access to the system. This zero day is reported by Prutha Parikh from Qualys.

On a blog post published there are 2 examples on how to exploit this vulnerability with a fully patched Apache Web Server (Version 2.2.21). The crafted requests look as follows:

GET @localhost::8880 HTTP/1.0\r\n\r\n

GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n

As there still no patch available it is important to apply the workaround mentioned on the blog especially that exploiting this zero day is now available for any user.

You can leave a response, or trackback from your own site.