UK researchers have uncovered a vulnerability in Apache Web server security, the open source software that powers the majority of the world’s Web servers. The backdoor threat is a new class of security vulnerability that could allow hackers to gain full Internet access to internal or DMZ (demilitarized zone) systems using insecurely configured reverse Web proxies.
The Apache Software Foundation, which manages Apache Web server, has issued an advisory to all of its customers advising them on how to guard against the flaw, which is expected to be addressed in a future version of Apache.
Context Information Security, who alerted Apache to the problem last month, unearthed the vulnerability. The company has published a blog post detailing the new class of attack, and providing advice on how to mitigate the risks.
Reverse proxies are used to route external HTTP and HTTPS Web requests to one of several internal Web servers to access data and resources. Typical applications include load balancing, separating static from dynamic content, or presenting a single interface to a number of different Web servers at different paths.
This latest vulnerability is a potential back door to sensitive internal or DMZ systems, but is totally avoidable if the reverse proxies are properly configured.
Context Information Security
The specific attack identified by Context researchers was based on an Apache Web server using the mod_rewrite proxy function, which uses a rule-based rewriting engine to modify and rewrite Web requests dynamically. When the Web proxies weren’t configured securely, the researchers were able to employ a commonly used hacking tool to force a change in the request to access internal or DMZ systems, including administration interfaces on firewalls, routers, Web servers and databases. Moreover, if the credentials on the internal systems were weak, the researchers were able to execute a full network compromise, including uploading Trojan WAR files to a server.
In addition to the blog post, Context has also released a new version of its free–to-download Context Application Tool (CAT), which can be used to identify the vulnerability.
“This latest vulnerability is a potential back door to sensitive internal or DMZ systems, but is totally avoidable if the reverse proxies are properly configured,” said Michael Jordon, research and development manager at Context Information Security, in a written statement. “We have not investigated other Web servers and proxies but it is reasonable to assume the problem is more widespread.”