You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fi...@apache.org on 2023/03/07 17:37:10 UTC
svn commit: r1908165 - /httpd/httpd/branches/2.4.x/CHANGES
Author: fielding
Date: Tue Mar 7 17:37:10 2023
New Revision: 1908165
URL: http://svn.apache.org/viewvc?rev=1908165&view=rev
Log:
unmangle the example config for CVE-2023-2569
Modified:
httpd/httpd/branches/2.4.x/CHANGES
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1908165&r1=1908164&r2=1908165&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Mar 7 17:37:10 2023
@@ -17,18 +17,13 @@ Changes with Apache 2.4.56
Some mod_proxy configurations on Apache HTTP Server versions
2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with
- some form of RewriteRule
- or ProxyPassMatch in which a non-specific pattern matches
- some portion of the user-supplied request-target (URL) data and
- is then
- re-inserted into the proxied request-target using variable
- substitution. For example, something like:
- RewriteEngine on
- RewriteRule "^/here/(.*)" "
- http://example.com:8080/elsewhere?$1"
- http://example.com:8080/elsewhere ; [P]
- ProxyPassReverse /here/ http://example.com:8080/
- http://example.com:8080/
+ some form of RewriteRule or ProxyPassMatch in which a non-specific
+ pattern matches some portion of the user-supplied request-target (URL)
+ data and is then re-inserted into the proxied request-target
+ using variable substitution. For example, something like:
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
+ ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access
controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning.