FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Apache 1.3 -- mod_proxy reverse proxy exposure

Affected packages
apache < 1.3.43
apache+ssl < 1.3.43.1.59_2
apache+ipv6 < 1.3.43
apache+mod_perl < 1.3.43
apache+mod_ssl < 1.3.41+2.8.31_4
apache+mod_ssl+ipv6 < 1.3.41+2.8.31_4
ru-apache-1.3 < 1.3.43+30.23_1
ru-apache+mod_ssl < 1.3.43+30.23_1

Details

VuXML ID d8c901ff-0f0f-11e1-902b-20cf30e32f6d
Discovery 2011-10-05
Entry 2011-11-14

Apache HTTP server project reports:

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. There is no patch against this issue!

References

CVE Name CVE-2011-3368
URL http://httpd.apache.org/security/vulnerabilities_13.html
URL http://seclists.org/fulldisclosure/2011/Oct/232