Jeff Trawick writes:
scheme: @localhost, path: :8880
not a valid scheme; apr_uri_parse should have failed it for that
reason (needs to start with lower case, continue with lower case or
digit or +.-)
...
so: does fixing apr_uri_parse() resolve these? not generally (but I
opened bug
On Thu, Jan 12, 2012 at 4:54 AM, Tomas Hoger tho...@redhat.com wrote:
Jeff Trawick trawick at gmail.com writes:
Tomas Hoger tracked this down to a change to apr_uri_parse(), see here:
https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8
The referenced change is in APR-util version
Jeff Trawick trawick at gmail.com writes:
Tomas Hoger tracked this down to a change to apr_uri_parse(), see here:
https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8
The referenced change is in APR-util version 1.2.13, so httpd is not
vulnerable if using APR-util 1.2.12 or older
On Fri, Dec 16, 2011 at 7:35 PM, William A. Rowe Jr.
wr...@rowe-clan.net wrote:
On 12/16/2011 3:13 AM, Joe Orton wrote:
On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote:
On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton jor...@redhat.com wrote:
Prutha Parikh from Qualys reported a variant
On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote:
On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton jor...@redhat.com wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317,
Sorry, I missed this earlier.
On Mon, Dec 12, 2011 at 01:24:51PM -0500, Jeff Trawick wrote:
The new code and the core translate name hook agree on something critical:
if it isn't * and it isn't a fully qualified path, return 400.
For proxy and rewrite to return 400 without knowing if these
On Fri, Dec 16, 2011 at 11:17 AM, Joe Orton jor...@redhat.com wrote:
Sorry, I missed this earlier.
On Mon, Dec 12, 2011 at 01:24:51PM -0500, Jeff Trawick wrote:
The new code and the core translate name hook agree on something critical:
if it isn't * and it isn't a fully qualified path,
On 12/16/2011 3:13 AM, Joe Orton wrote:
On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote:
On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton jor...@redhat.com wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite
On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton jor...@redhat.com wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317, has been assigned to this variant.
The configurations in question
On Thu, Dec 15, 2011 at 11:04 PM, Jeff Trawick traw...@gmail.com wrote:
On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton jor...@redhat.com wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
On Mon, Nov 28, 2011 at 9:38 AM, Joe Orton jor...@redhat.com wrote:
On Thu, Nov 24, 2011 at 11:37:34PM +0100, Rainer Jung wrote:
Don't know whether that could happen here, but could OPTIONS * be
a problem?
Hmmm, another good question.
What should mod_rewrite or mod_proxy's translate_name
On Wed, Nov 23, 2011 at 04:53:46PM +0100, Plüm, Rüdiger, VF-Group wrote:
One comment though: Shouldn't we check r-unparsed_uri as well (at least
in the proxy case, as it may be used by ap_proxy_trans_match instead of
r-uri)?
Thanks for looking at this!
I'm not sure how we could check
On Thu, Nov 24, 2011 at 11:37:34PM +0100, Rainer Jung wrote:
Don't know whether that could happen here, but could OPTIONS * be
a problem?
Hmmm, another good question.
What should mod_rewrite or mod_proxy's translate_name hook do for a
request-URI of *? 2616 says:
The asterisk *
On 23.11.2011 15:23, Joe Orton wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317, has been assigned to this variant.
The configurations in question are the same as affected by
Am 24.11.2011 23:37, schrieb Rainer Jung:
On 23.11.2011 15:23, Joe Orton wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317, has been assigned to this variant.
The configurations
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317, has been assigned to this variant.
The configurations in question are the same as affected by -3368, e.g.:
RewriteRule ^(.*)
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Mittwoch, 23. November 2011 15:23
To: dev@httpd.apache.org
Subject: [RFC] further proxy/rewrite URL validation security
issue (CVE-2011-4317)
Prutha Parikh from Qualys reported a variant on the
CVE-2011
17 matches
Mail list logo