You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Eric Covener <co...@apache.org> on 2023/03/07 12:55:07 UTC

[users@httpd] CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

Severity: important

Description:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.




Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and is then
 re-inserted into the proxied request-target using variable 
substitution. For example, something like:




RewriteEngine on
RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1" http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/  http://example.com:8080/ http://example.com:8080/ 


Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.

Credit:

Lars Krapf of Adobe (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25690

Timeline:

2023-02-02: reported


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org