Apache patches reverse proxy flaw which gives access to internal systems

Security experts are warning firms running the Apache web server to keep up to date with the latest patches after the Apache Software Foundation issued a security advisory to all customers highlighting a new vulnerability.

Security consultancy Context Information Security explained in a blog post that this specific attack technique exploits insecurely configured reverse web proxies to gain access to internal or DMZ systems, but could also cover other proxies and web servers.

Context explained that the attack is based on an Apache web server using the mod_rewrite proxy function, and uses a common hacking tool to change the request to access DMZ systems.

"We can access any internal/DMZ system which the proxy can access including administration interfaces on firewalls, routers, web servers, databases etc," the firm said.

"Context has had plenty of success with this attack where credentials are weak on the internal systems allowing for full network compromise e.g. uploading Trojan WAR files on to JBoss servers."

Context advised companies to patch servers with the latest security update released by Apache, and to review reverse proxy configurations to ensure that rewrite rules cannot be used to access internal systems.

"As can be seen in this blog, rewrite rules have a great deal of flexibility but the implications of mis-configuration are critical," said the firm.

"Context therefore recommends that this new type of security vulnerability, which affects Apache and potentially other proxy configurations, is included in any penetration tests and security configuration reviews."

Apache has had a tough time of late. In August, the Foundation was forced to issue an update to protect against a denial of service flaw being exploited in the wild.

Attackers are increasingly targeting Apache web servers because they are the most popular, various estimates putting its share of the market at around 65 per cent.