On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote: > On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton <[email protected]> wrote: > > Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack > > against certain mod_proxy/mod_rewrite configurations. A new CVE name, > > CVE-2011-4317, has been assigned to this variant. > > > > The configurations in question are the same as affected by -3368, e.g.: > > > > RewriteRule ^(.*) http://www.example.com$1 [P] > > > > and the equivalent ProxyPassMatch. Request examples are: > > > > GET @localhost::8880 HTTP/1.0\r\n\r\n > > GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n > > These appear to not apply to 2.0.x because of a difference in URI > parsing between apr-util 0.9.x and apr-util 1.something.x. > > Has anyone else tried that on 2.0.x?
Tomas Hoger tracked this down to a change to apr_uri_parse(), see here: https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8 The referenced change is in APR-util version 1.2.13, so httpd is not vulnerable if using APR-util 1.2.12 or older versions. Regards, Joe
