Apache reverse proxy bug allows compromising internal system


Apache team is working on fixing a new vulnerability that allows an attacker from internet to have an internal access to the system. This zero day is reported by Prutha Parikh from Qualys.

On a blog post published there are 2 examples on how to exploit this vulnerability with a fully patched Apache Web Server (Version 2.2.21). The crafted requests look as follows:

GET @localhost::8880 HTTP/1.0\r\n\r\n

GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n

As there still no patch available it is important to apply the workaround mentioned on the blog especially that exploiting this zero day is now available for any user.