Re: [users@httpd] Virtual Host Not Working

[Tom Evans]

On Mon, Feb 10, 2014 at 10:24 PM, Jim Borland  wrote:
> My server, which is located in the Amazon cloud, was just moved to a new
> location with a new IP address.  Nothing else was changed. However, the
> Apache Virtual Host, which has worked flawlessly for several years, is
> broken.  Apache server version is: Apache/2.2.16 (Ubuntu).
>
> I went to my DNS host and changed the names to point to the new IP address.
> But now, when I go to the hostname in my browser I end up at the default
> site instead of the one specified for the virtual host.  Here is my config
> file (httpd-vhosts.conf).
>
> 
>

Simplify your config:

> NameVirtualHost *:80
>
> 
> ServerAdmin jborlan...@gmail.com
> ServerName ec2-75-101-136-229.compute-1.amazonaws.com
> DocumentRoot "/var/www"
> 
>
> 
>Order allow,deny
>Allow from all
> 
>
> 
> ServerName atascaderoband.org
> ServerAlias www.atascaderoband.org
> DocumentRoot "/home/jim/atasband"
> 
>
> 
> ServerName www.slocountyband.org
> ServerAlias slocountyband.org
> DocumentRoot "/home/jim/band"
> 
>

Work now?

Cheers

Tom

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RewriteEngine

[Eric K. Dickinson]

Thank you

Unfortunately not available for our architecture.

I will keep plugging.

eric

On 02/10/2014 09:13 PM, Michael Streeter wrote:

On 2/10/2014 8:04 AM, Eric K. Dickinson wrote:

Thank you very much.
I gave it a go... Still no Joy, the attempts at directory recursion
still end up in the access log...

More reading.

eric


Sorry to hear that.  A couple of things that help me, and may help in
your troubleshooting are:
1) Turn on rewrite logging if you're able to and haven't already. The
procedure is slightly different for newer versions of Apache, so the
exact steps depend on your Apache version.
2) To test regular expressions, check out pcretest.  It is bundled with
the pcre library which is the same library Apache uses for regular
expressions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Possible exploit?

[Knute Johnson]

I found the following in my log this morning.  Does anybody know what it 
really means?  Thanks.


 A total of 3 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):


/user.php?caselist[bad_file.txt][path]=http://www.google.com/humans.txt?&command=cat%20/etc/passwd 
HTTP Response 302


/sid=&shopid=http://www.google.com/humans.txt? 
HTTP Response 302


/gepi/gestion/savebackup.php?filename=http://www.google.com/humans.txt?&cmd=cat/etc/passwd 
HTTP Response 302



--

Knute Johnson

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible exploit?

[Yehuda Katz]

When you go to those URLs on your website, what output do you get?
That will likely tell you what output the attacker got.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Feb 12, 2014 10:58 AM, "Knute Johnson"  wrote:

> I found the following in my log this morning.  Does anybody know what it
> really means?  Thanks.
>
>  A total of 3 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>
>
> /user.php?caselist[bad_file.txt][path]=http://www.google.
> com/humans.txt?&command=cat%20/etc/passwd HTTP Response 302
>
> /sid=&shopid=http://www.google.com/humans.txt?
> HTTP Response 302
>
> /gepi/gestion/savebackup.php?filename=http://www.google.
> com/humans.txt?&cmd=cat/etc/passwd HTTP Response 302
>
>
> --
>
> Knute Johnson
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Possible exploit?

[rahul bhola]

in first and last casehe was checking if it is possible to pass shell
commands throught command or cmd parameter.not sure on second one but it
looks like he was testing for unsanitized url redirection vul.


On Wed, Feb 12, 2014 at 9:28 PM, Knute Johnson wrote:

> I found the following in my log this morning.  Does anybody know what it
> really means?  Thanks.
>
>  A total of 3 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>
>
> /user.php?caselist[bad_file.txt][path]=http://www.google.
> com/humans.txt?&command=cat%20/etc/passwd HTTP Response 302
>
> /sid=&shopid=http://www.google.com/humans.txt?
> HTTP Response 302
>
> /gepi/gestion/savebackup.php?filename=http://www.google.
> com/humans.txt?&cmd=cat/etc/passwd HTTP Response 302
>
>
> --
>
> Knute Johnson
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus

Re: [users@httpd] Possible exploit?

[Knute Johnson]

On 2/12/2014 08:04, rahul bhola wrote:

in first and last casehe was checking if it is possible to pass shell
commands throught command or cmd parameter.not sure on second one but it
looks like he was testing for unsanitized url redirection vul.


On Wed, Feb 12, 2014 at 9:28 PM, Knute Johnson mailto:apa...@knutejohnson.com>> wrote:

I found the following in my log this morning.  Does anybody know
what it really means?  Thanks.

  A total of 3 possible successful probes were detected (the
following URLs
  contain strings that match one or more of a listing of strings that
  indicate a possible exploit):



/user.php?caselist[bad_file.__txt][path]=http://www.google.__com/humans.txt?&command=cat%__20/etc/passwd
 HTTP
Response 302


/sid=__&__shopid=http://www.google.com/__humans.txt
? HTTP Response 302


/gepi/gestion/savebackup.php?__filename=http://www.google.__com/humans.txt?&cmd=cat/etc/__passwd
 HTTP Response 302


--

Knute Johnson

--__--__-
To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org

For additional commands, e-mail: users-h...@httpd.apache.org





--
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus


So you think he was trying to get the content of my passwd file?  So 
what would that get him?


Is it possible to do this myself to see what he could have gotten?

Thanks,

--

Knute Johnson

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible exploit?

[rahul bhola]

because of HTTP Response 302 a safe bet would be to say he didnt get
anything still i would recommend you to sanitize the data u get from
parameter command and cmd.
Also simply go to the url to see what he saw


On Wed, Feb 12, 2014 at 9:58 PM, Knute Johnson wrote:

> On 2/12/2014 08:04, rahul bhola wrote:
>
>> in first and last casehe was checking if it is possible to pass shell
>> commands throught command or cmd parameter.not sure on second one but it
>> looks like he was testing for unsanitized url redirection vul.
>>
>>
>> On Wed, Feb 12, 2014 at 9:28 PM, Knute Johnson > > wrote:
>>
>> I found the following in my log this morning.  Does anybody know
>> what it really means?  Thanks.
>>
>>   A total of 3 possible successful probes were detected (the
>> following URLs
>>   contain strings that match one or more of a listing of strings that
>>   indicate a possible exploit):
>>
>>
>> /user.php?caselist[bad_file.__txt][path]=http://www.google._
>> _com/humans.txt?&command=cat%__20/etc/passwd
>>  HTTP
>> Response 302
>>
>> /sid=__&__shopid=http://www.google.com/
>> __humans.txt
>> ? HTTP Response 302
>>
>> /gepi/gestion/savebackup.php?__filename=http://www.google.__
>> com/humans.txt?&cmd=cat/etc/__passwd
>>
>>  HTTP Response
>> 302
>>
>>
>> --
>>
>> Knute Johnson
>>
>> --__
>> --__-
>> To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org
>> 
>>
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
>>
>>
>>
>>
>>
>> --
>> Rahul Bhola
>> B.E.
>> computers
>> Core Member
>> Department of backstage
>> Bits Pilani KK Birla Goa Campus
>>
>
> So you think he was trying to get the content of my passwd file?  So what
> would that get him?
>
> Is it possible to do this myself to see what he could have gotten?
>
> Thanks,
>
>
> --
>
> Knute Johnson
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus

[users@httpd] Apache 2.4 mod_ratelimit and mod_proxy_fcgi issue

[Adam Hurkala]

Hi,

I've just noticed that mod_ratelimit does not work as expected with
mod_proxy_fcgi. I set a download limit to 500 KB/s for PHP (php-fpm) and
for some reason I'm still able to download at full speed.
If download limit is set to some low value e.g. 10 KB/s it pretty much
works (see results).

Configuration 1:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://
127.0.0.1:9000/home/adam/apache2.4/htdocs/$1
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 500

Results 1 (download 74 MB file with wget with rate_limit set to 500):
2014-02-12 14:32:25 (3.83 MB/s) - `file.php' saved [76581888/76581888]

Configuration 2:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://
127.0.0.1:9000/home/adam/apache2.4/htdocs/$1
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 10

Results 2 (download 74 MB file with wget with rate_limit set to 10):
2014-02-12 15:32:05 (13.3 KB/s) - `file.php' saved [76581888/76581888]

I've tested this issue on LAN and internet and always got the same results.

PHP script that can be used to test this issue can be found here (only path
to file needs to be set):
http://pastebin.com/zXWUMaxf

Thanks,
Adam

Re: [users@httpd] Virtual Host Not Working

[Jim Borland]

My goodness, that worked!  I am blown away!  Thank you very much for 
your help with this.


Jim

On 2/12/2014 2:58 AM, Tom Evans wrote:

On Mon, Feb 10, 2014 at 10:24 PM, Jim Borland  wrote:

My server, which is located in the Amazon cloud, was just moved to a new
location with a new IP address.  Nothing else was changed. However, the
Apache Virtual Host, which has worked flawlessly for several years, is
broken.  Apache server version is: Apache/2.2.16 (Ubuntu).

I went to my DNS host and changed the names to point to the new IP address.
But now, when I go to the hostname in my browser I end up at the default
site instead of the one specified for the virtual host.  Here is my config
file (httpd-vhosts.conf).




Simplify your config:


NameVirtualHost *:80


 ServerAdmin jborlan...@gmail.com
 ServerName ec2-75-101-136-229.compute-1.amazonaws.com
 DocumentRoot "/var/www"



Order allow,deny
Allow from all



 ServerName atascaderoband.org
 ServerAlias www.atascaderoband.org
 DocumentRoot "/home/jim/atasband"



 ServerName www.slocountyband.org
 ServerAlias slocountyband.org
 DocumentRoot "/home/jim/band"



Work now?

Cheers

Tom

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible exploit?

[Knute Johnson]

On 2/12/2014 08:43, rahul bhola wrote:

because of HTTP Response 302 a safe bet would be to say he didnt get
anything still i would recommend you to sanitize the data u get from
parameter command and cmd.
Also simply go to the url to see what he saw


To what URL?  What do you mean sanitize?

Thanks,

--

Knute Johnson

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible exploit?

[rahul bhola]

by sanitize i mean just check that u dont directly put the data coming from
cmd or command to exec() or functions that might compromise the security of
your system. By url i mean example:
yoursite.com/sid=&shopid=
http://www.google.com/humans.txt?
would show you what he got



On Thu, Feb 13, 2014 at 2:08 AM, Knute Johnson wrote:

> On 2/12/2014 08:43, rahul bhola wrote:
>
>> because of HTTP Response 302 a safe bet would be to say he didnt get
>> anything still i would recommend you to sanitize the data u get from
>> parameter command and cmd.
>> Also simply go to the url to see what he saw
>>
>
> To what URL?  What do you mean sanitize?
>
>
> Thanks,
>
> --
>
> Knute Johnson
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus

[users@httpd] apache caching 400 http status?

[Anthony J. Biacco]

I'm running compiled apache 2.2.24 on centos 6.4
I have a URL which gets proxied to tomcat with mod_proxy_ajp.
The URL in a test scenario is producing a 400 status and content using tomcat 
custom error pages.
Said URL space is cached in apache with mod_disk_cache.
Apache is caching said content and serving it out of cache.

I was under the assumption that 400 statuses were not supposed to be cached and 
the 2.2 says as much.
Is this incorrect (even if a Cache-Control header is being set)?

-Tony
---
Manager, IT Operations
Format Dynamics, Inc.
P: 303-228-7327
F: 303-228-7305
abia...@formatdynamics.com
http://www.formatdynamics.com

Re: [users@httpd] apache caching 400 http status?

[Mike Rumph]

Hello Anthony,

The discussion on the caching of 503 errors in bug 55669 may apply to 
this email thread as well.

- https://issues.apache.org/bugzilla/show_bug.cgi?id=55669

Thanks,

Mike Rumph

On 2/12/2014 2:35 PM, Anthony J. Biacco wrote:


I'm running compiled apache 2.2.24 on centos 6.4

I have a URL which gets proxied to tomcat with mod_proxy_ajp.

The URL in a test scenario is producing a 400 status and content using 
tomcat custom error pages.


Said URL space is cached in apache with mod_disk_cache.

Apache is caching said content and serving it out of cache.

I was under the assumption that 400 statuses were not supposed to be 
cached and the 2.2 says as much.


Is this incorrect (even if a Cache-Control header is being set)?

-Tony

---

Manager, IT Operations

Format Dynamics, Inc.

P: 303-228-7327

F: 303-228-7305

abia...@formatdynamics.com 

http://www.formatdynamics.com

Re: [users@httpd] Possible exploit?

[Knute Johnson]

On 2/12/2014 13:11, rahul bhola wrote:

by sanitize i mean just check that u dont directly put the data coming
from cmd or command to exec() or functions that might compromise the
security of your system.


Are you talking about in CGI programs?

 By url i mean example:

yoursite.com/sid=&shopid=
http://www.google.com/humans.txt?
would show you what he got


If I do the above I get a File Not Found (404).  I think there must be 
more to it than that.


--

Knute Johnson

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] apache caching 400 http status?

[Geoff Millikan]

We had this problem too and so stopped using mod_disk_cache for a few months.  
I was under the impression it had been fixed and so
we've recently turned it back on.  We're on Apache/2.2.26.

 

From: Mike Rumph [mailto:mike.ru...@oracle.com] 
Sent: Wednesday, February 12, 2014 4:54 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] apache caching 400 http status?

 

Hello Anthony,

The discussion on the caching of 503 errors in bug 55669 may apply to this 
email thread as well.
- https://issues.apache.org/bugzilla/show_bug.cgi?id=55669

Thanks,

Mike Rumph

On 2/12/2014 2:35 PM, Anthony J. Biacco wrote:

I'm running compiled apache 2.2.24 on centos 6.4

I have a URL which gets proxied to tomcat with mod_proxy_ajp.

The URL in a test scenario is producing a 400 status and content using tomcat 
custom error pages.

Said URL space is cached in apache with mod_disk_cache.

Apache is caching said content and serving it out of cache.

 

I was under the assumption that 400 statuses were not supposed to be cached and 
the 2.2 says as much.

Is this incorrect (even if a Cache-Control header is being set)?

 

-Tony

---

Manager, IT Operations

Format Dynamics, Inc.

P: 303-228-7327

F: 303-228-7305

abia...@formatdynamics.com

http://www.formatdynamics.com

 

 

[users@httpd] Allowconnect

[Sittampalam, Nagu]

Hello

Does anybody know if Allowconnect statement would allow a client to connect 
through the proxy server to a server on HTTPS? We have been trying to get this 
to work but no progress so far so want to know if it should work or not.

Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton 
Strategic Services Partnership | Landline: 02380 833012 | Fax: 02380 832973 | 
e-mail 
nagu.sittampa...@southampton.gov.uk 
| e-mail nagu.sittampa...@capita.co.uk | 
post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 
7FP
This email and any files transmitted with it are confidential, and may be 
subject to legal privilege, and are intended solely for the use of the 
individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may 
not peruse, use, disseminate, distribute or copy this message. Please notify 
the sender immediately and delete the original e-mail from your system.

[users@httpd] Preventing an open proxy with both a single SSL virtual host and a non-SSL virtual host

[Richard Mixon]

We've setup a new Apache server on Centos 6.4, httpd 2.2.15.

The site is running SSL with a single Wordpress virtual host. We do use
mod_proxy to forward some requests to back-end systems our CAS
authentication system and a couple of other back-end systems we need a
limited amount of content from. We've done this often in the past, but this
configuration is a bit different.

All was fine until we created a simple (additional) virtual host on port 80
for the sole purpose of redirecting users that forgot to type in the https
in the url. After that we started getting flooded with requests such as the
following:

64.120.77.151 - - [13/Feb/2014:00:03:05 -0700] "GET
http://ads.yahoo.com/st?ad_type=iframe&ad_size=160x600§ion=4660128&pub_url=${PUB_URL}HTTP/1.0";
403 283 "
http://creditsxchange.com/index.php/hotdeal/5536-the-times-of-india";
"Mozilla/5.0 (Windows NT 7.1) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.112 Safari/534.30"

We shut the port 80 virtual host down and everything was returned to normal
and we started looking for a solution. We came across what appeared to be a
couple of excellent articles that addressed the problem:

1) The "Why do I see requests for other sites appearing in my log files?"
section at http://wiki.apache.org/httpd/FAQ

2) The solution on this posting
http://serverfault.com/questions/283200/my-virtualhosts-overlap-and-my-namevirtualhost-has-no-virtualhosts

Well what seemed a nice clear solution has not worked so well. I'm thinking
it is because we have both a single SSL virtual host and a (now two)
non-SSL host.

Our main httpd.conf file contains:
  ...
  ## ***
  #Listen 80
  Listen 443
  ## ***
  ...
  NameVirtualHost *:80
  NameVirtualHost *:443
  ...
  Include conf/VirtualHost.d/*.conf

then we have what is now a single Virtual Host config file - but was
originally three (01-vhost.conf, 02-vhost.conf and 03-vhost.conf), I
combined them thinking the ordering might not be correct.

Anyway here's the content of the Virtual hosts config:

# Purpose is to prevent open proxy configuration.
# This Virtual Host config must be named so it appears first,
# i.e. 00-default.only.conf

ServerName default.only
ErrorLog logs/default.only-error_log
CustomLog logs/default.only-access_log combined

  Order allow,deny
  Deny from all



# This is the virtual host we really need on port 80

ServerAdmin rnmi...@custco.biz
DocumentRoot /var/www/community.acmeinc.com
ServerName community.acmeinc.com
ErrorLog logs/community.acmeinc.com-error_log
CustomLog logs/community.acmeinc.com-access_log combined

ProxyRequests Off
ProxyPreserveHost Off

RewriteCond %{HTTP_HOST} ^community\.acmeinc\.com [NC]
RewriteRule / https://community.acmeinc.com/ [L,R,NE]



# This is the main real virtual host

ServerAdmin rnmi...@custco.biz
ServerName community.acmeinc.com
ErrorLog logs/community.acmeinc.com.ssl-error_log
CustomLog logs/community.acmeinc.com.ssl-access_log combined

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/community_acmeinc_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/community.acmeinc.com.key
SSLCertificateChainFile
/etc/pki/tls/certs/community_acmeinc_com.ca-bundle
SSLProxyEngine On
SSLProxyCACertificateFile /etc/tomcat7/tomcat-server.pem

ProxyRequests On
ProxyPreserveHost On


  ProxyPass https://community.acmeinc.local:8443/cas/
  ProxyPassReverse https://community.acmeinc.local:8443/cas/


https://community.acmeinc.local:8443/cas/>
  AllowOverride None
  Order allow,deny
  Allow from All



  ProxyPass http://www.acmeinc.local/TicketSales/
  ProxyPassReverse http://www.acmeinc.local/TicketSales/


http://www.acmeinc.local/TicketSales/>
  AllowOverride None
  Order allow,deny
  Allow from All



  ProxyPass https://community.acmeinc.local:8443/rhythm/
  ProxyPassReverse https://community.acmeinc.local:8443/rhythm/


https://community.acmeinc.local:8443/rhythm/>
  AllowOverride None
  Order allow,deny
  Allow from All


DocumentRoot /var/www/community.acmeinc.com

Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all




Problem - if we uncomment the "Listen 80" directive to let the port 80
virtual hosts work, we become an open proxy again.

Here is the output from a dump of the virtual host config:

/usr/sbin/httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443  is a NameVirtualHost
 default server
community.acmeinc.com(/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:30)
 port 443 namevhost
community.acmeinc.com(/etc/httpd/conf