On 12/16/2011 3:13 AM, Joe Orton wrote: > On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote: >> On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton <[email protected]> wrote: >>> Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack >>> against certain mod_proxy/mod_rewrite configurations. A new CVE name, >>> CVE-2011-4317, has been assigned to this variant. >>> >>> The configurations in question are the same as affected by -3368, e.g.: >>> >>> RewriteRule ^(.*) http://www.example.com$1 [P] >>> >>> and the equivalent ProxyPassMatch. Request examples are: >>> >>> GET @localhost::8880 HTTP/1.0\r\n\r\n >>> GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n >> >> These appear to not apply to 2.0.x because of a difference in URI >> parsing between apr-util 0.9.x and apr-util 1.something.x. >> >> Has anyone else tried that on 2.0.x? > > Tomas Hoger tracked this down to a change to apr_uri_parse(), see here: > > https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8 > > The referenced change is in APR-util version 1.2.13, so httpd is not > vulnerable if using APR-util 1.2.12 or older versions.
Can we determine this to be errant behavior in apr_uri_parse?
