> -----Original Message----- > From: Joe Orton [mailto:[email protected]] > Sent: Mittwoch, 23. November 2011 15:23 > To: [email protected] > Subject: [RFC] further proxy/rewrite URL validation security > issue (CVE-2011-4317) > > Prutha Parikh from Qualys reported a variant on the > CVE-2011-3368 attack > against certain mod_proxy/mod_rewrite configurations. A new > CVE name, > CVE-2011-4317, has been assigned to this variant. > > The configurations in question are the same as affected by > -3368, e.g.: > > RewriteRule ^(.*) http://www.example.com$1 [P] > > and the equivalent ProxyPassMatch. Request examples are: > > GET @localhost::8880 HTTP/1.0\r\n\r\n > GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n > > These unfortunately do not get trapped in the request parsing > trap added > in r1179239, so result in an input to rewrite rule processing > which does > not match the URL-path grammar (i.e. does not start with "/"). > > We could try improve that fix, but I think it would be > simpler to change > the translate_name hooks in mod_proxy and mod_rewrite to enforce the > requirement in the "right" place. Other translate_name hooks do this > already. > > I propose the patch below. Any comments?
+1. Go ahead with the patch. One comment though: Shouldn't we check r->unparsed_uri as well (at least in the proxy case, as it may be used by ap_proxy_trans_match instead of r->uri)? Regards Rüdiger
