You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@apache.org> on 2023/03/07 12:55:07 UTC
[users@httpd] CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy
Severity: important
Description:
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1" http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.
Credit:
Lars Krapf of Adobe (finder)
References:
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25690
Timeline:
2023-02-02: reported
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org