Thank you for pointing it out.
After turning off the ProxyRequests and making one change within the below
snippet resolved the Qualys vulnerabilities 62002 and 62054.
<Directory "${SRVROOT}/cgi-bin">
AllowOverride None
Options None
Require all denied
</Directory>
We made sure it doesn't break the integration we had with Apache HTTPD. Thanks
again.
From: Eric Covener <cove...@gmail.com>
Sent: Friday, September 27, 2024 7:16 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] How to fix Apache HTTPD Unauthenticated/Open Web
Proxy Vulnerability?
EXTERNAL EMAIL - This email was sent by a person from outside your
organization. Exercise caution when clicking links, opening attachments or
taking further action, before validating its authenticity.
I suspect you are not running a forward proxy on purpose, so you should not
have "ProxyRequests ON" in your configuration. You should just test without
this, remove the other additions, and move on.
If you're running a forward proxy on purpose, you have to restrict who can
access it (and what hosts it can access). You need to be able to test it as
you go. You seem to have a combination of different access control snippets,
including deprecated ones like "order" and "allow" and an unnecessary
authconfig. I suggest starting over based on how you expect to limit users --
are you going to maintain a htpasswd entry for each user? Or use "require" to
allow IP ranges or domains? Again, you need to be able to test this as you go.
On Fri, Sep 27, 2024 at 7:31 AM Shinde, Pramod K
<pshi...@jjkeller.com.invalid<mailto:pshi...@jjkeller.com.invalid>> wrote:
Hello,
We are using Apache HTTPD 2.4.53 for an internal content management system. It
is not customer-facing. The security solution considers the proxy vulnerable to
an "Unauthenticated/Open Web Proxy Detected" vulnerability. After many back and
forths with them to check if it's a false positive, we still made these changes
in httpd.conf file as per this Apache documentation
https://httpd.apache.org/docs/current/howto/auth.html<https://protect.checkpoint.com/v2/r01/___https:/httpd.apache.org/docs/current/howto/auth.html___.YzJ1Ompqa2VsbGVyOmM6bzplNTgyODhmMzgwYzUxYjFlOTk2NGYxMDMwZWE1NjkwZTo3OmZhMjI6ZWIyNjllZWQ4ZjViMDMxYWYwODVjODQ1YjI2NGE5YTdlNjc3YTQ2NjZjYWZkMjk2OTZiNGU2NGU5OTg5YjE3NzpoOlQ6Tg>
Do you think this is the fix for the above-mentioned vulnerabilities? The
reason to ask here is that Qualys doesn't provide any CVE and asks us to
confirm from Apache.
This is the solution given by Qualys, which we tried to apply within
httpd.conf. Let me know if we misunderstood:
SOLUTION:
Configure your proxy server to only allow connections from valid users/hosts
within your internal network, or to require authentication in order
to use the proxy services. If you need more assistance on how to do this,
please contact the vendor of the proxy software.
=================Vulnerability Details==============
62054- Unauthenticated/Open Web Proxy Detected (External)
62002- Unauthenticated/Open Web Proxy Detected
IMPACT:
Successful exploitation may allow unauthorized users to browse the Internet
with your IP address , your Intranet and Web server. This may also be
exploited to scan non-http services inside your firewall.
SOLUTION:
Reconfigure your proxy.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RREESSUULLTTSS::
GET
http://QualysScannerApplianceIP:32943/<http://qualysscannerapplianceip:32943/>
HTTP/1.0
======================
Here is how we made the changes in Apache's httpd.conf file
Code:
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AllowOverride AuthConfig
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
Order allow,deny
Allow from corpr.company_domain.local
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen
</Directory>
# Mod_Proxy Settings
<VirtualHost *>
ProxyRequests On
ProxyTimeout 3600
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Deny from all
Allow from corpr.company_domain.local
</Proxy>
</VirtualHost>
ProxyPass /fontoxml http://localhost:9191/fontoxml
ProxyPassReverse /fontoxml http://localhost:9191/fontoxml
ProxyPass /api/fonto/proxy/spell-checker http://localhost:6050
ProxyPassReverse /api/fonto/proxy/spell-checker http://localhost:6050
ProxyPass /api/fonto http://localhost:9191/api/fonto
ProxyPassReverse /api/fonto http://localhost:9191/api/fonto
#QID 12680: HTTP TRACE / TRACK Methods Enabled
TraceEnable off
Confidentiality Warning: This email and any files transmitted with it may be
confidential and are intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email in error, please
notify the sender immediately and delete this original message and any copy of
it from your computer system. If you are not the intended recipient you are
notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this email is strictly prohibited. Disclaimer: This
email may contain information that is intended to lend technical knowledge and
support to the recipient. Laws, regulations, and best practices change, and the
observations and comments drawn today may not apply to laws, regulations, or
best practices as they may be in the future. Any recommendations made by J. J.
Keller staff are offered in strictly an advisory capacity and are not to be
construed as legal advice. Recipients seeking legal advice should consult with
legal counsel. J. J. Keller & Associates, Inc. P. O. Box 368, Neenah, WI
54957-0368
--
Eric Covener
cove...@gmail.com<mailto:cove...@gmail.com>
Confidentiality Warning: This email and any files transmitted with it may be
confidential and are intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email in error, please
notify the sender immediately and delete this original message and any copy of
it from your computer system. If you are not the intended recipient you are
notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this email is strictly prohibited. Disclaimer: This
email may contain information that is intended to lend technical knowledge and
support to the recipient. Laws, regulations, and best practices change, and the
observations and comments drawn today may not apply to laws, regulations, or
best practices as they may be in the future. Any recommendations made by J. J.
Keller staff are offered in strictly an advisory capacity and are not to be
construed as legal advice. Recipients seeking legal advice should consult with
legal counsel. J. J. Keller & Associates, Inc. P. O. Box 368, Neenah, WI
54957-0368
