RE: [users@httpd] CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

Fri, 10 Mar 2023 05:56:20 -0800 

Hi,

We are experiencing the effect that a RewriteRule resulting in R (redirect) are 
blocked (403) with AH10410 despite being encoded before 2.4.56 (the resulting 
Location header was ok). Is this change intentional?

Example:
RewriteRule             ^/here/([^/]+)(/.*)$    
http://example.com:8080/elsewhere/?base=$1&target=$2 [R,QSA,L]

We are evaluating this workaround:
[R,B,BNP,NE,QSA,L]

This results in encoded slashes which is not necessary. Any ideas how to 
achieve the previous result?

Tested on the Ubuntu 22.04 and 20.04 backport of this fix.

Thanks,
Thomas Å.


On 2023/03/07 12:55:07 Eric Covener wrote:
> 
> Severity: important
> 
> Description:
> 
> Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 
> 2.4.55 allow a HTTP Request Smuggling attack.
> 
> 
> 
> 
> Configurations are affected when mod_proxy is enabled along with some form of 
> RewriteRule
> or ProxyPassMatch in which a non-specific pattern matches
> some portion of the user-supplied request-target (URL) data and is then
> re-inserted into the proxied request-target using variable 
> substitution. For example, something like:
> 
> 
> 
> 
> RewriteEngine on
> RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1"; 
> http://example.com:8080/elsewhere ; [P]
> ProxyPassReverse /here/  http://example.com:8080/ http://example.com:8080/ 
> 
> 
> Request splitting/smuggling could result in bypass of access controls in the 
> proxy server, proxying unintended URLs to existing origin servers, and cache 
> poisoning.
> 
> Credit:
> 
> Lars Krapf of Adobe (finder)
> 
> References:
> 
> https://httpd.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2023-25690
> 
> Timeline:
> 
> 2023-02-02: reported
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to