I suspect you are not running a forward proxy on purpose, so you should not have "ProxyRequests ON" in your configuration. You should just test without this, remove the other additions, and move on.
If you're running a forward proxy on purpose, you have to restrict who can access it (and what hosts it can access). You need to be able to test it as you go. You seem to have a combination of different access control snippets, including deprecated ones like "order" and "allow" and an unnecessary authconfig. I suggest starting over based on how you expect to limit users -- are you going to maintain a htpasswd entry for each user? Or use "require" to allow IP ranges or domains? Again, you need to be able to test this as you go. On Fri, Sep 27, 2024 at 7:31 AM Shinde, Pramod K <pshi...@jjkeller.com.invalid> wrote: > Hello, > > We are using Apache HTTPD 2.4.53 for an internal content management > system. It is not customer-facing. The security solution considers the > proxy vulnerable to an "Unauthenticated/Open Web Proxy Detected" > vulnerability. After many back and forths with them to check if it's a > false positive, we still made these changes in httpd.conf file as per this > Apache documentation https://httpd.apache.org/docs/current/howto/auth.html > > > > > Do you think this is the fix for the above-mentioned vulnerabilities? The > reason to ask here is that Qualys doesn't provide any CVE and asks us to > confirm from Apache. > > This is the solution given by Qualys, which we tried to apply within > httpd.conf. Let me know if we misunderstood: > > > > *SOLUTION: Configure your proxy server to only allow connections from > valid users/hosts within your internal network, or to require > authentication in order to use the proxy services. If you need more > assistance on how to do this, please contact the vendor of the proxy > software.* > > > > > =================Vulnerability Details============== > 62054- Unauthenticated/Open Web Proxy Detected (External) > 62002- Unauthenticated/Open Web Proxy Detected > IMPACT: > Successful exploitation may allow unauthorized users to browse the > Internet with your IP address , your Intranet and Web server. This may also > be > exploited to scan non-http services inside your firewall. > SOLUTION: > Reconfigure your proxy. > COMPLIANCE: > Not Applicable > EXPLOITABILITY: > There is no exploitability information for this vulnerability. > ASSOCIATED MALWARE: > There is no malware information for this vulnerability. > RREESSUULLTTSS:: > GET http://QualysScannerApplianceIP:32943/ > <http://qualysscannerapplianceip:32943/> HTTP/1.0 > ====================== > > Here is how we made the changes in Apache's httpd.conf file > > *Code:* > > > > #Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and > 62054) > AllowOverride AuthConfig > > #Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and > 62054) > Order allow,deny > Allow from corpr.company_domain.local > #Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and > 62054) > AuthType Basic > AuthName "Restricted Files" > ## (Following line optional) > #AuthBasicProvider file > AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords" > Require user rbowen > > </Directory> > > > # Mod_Proxy Settings > <VirtualHost *> > ProxyRequests On > ProxyTimeout 3600 > ProxyPreserveHost On > > <Proxy *> > Order deny,allow > Deny from all > Allow from corpr.company_domain.local > </Proxy> > </VirtualHost> > ProxyPass /fontoxml http://localhost:9191/fontoxml > ProxyPassReverse /fontoxml http://localhost:9191/fontoxml > > ProxyPass /api/fonto/proxy/spell-checker http://localhost:6050 > ProxyPassReverse /api/fonto/proxy/spell-checker http://localhost:6050 > > ProxyPass /api/fonto http://localhost:9191/api/fonto > ProxyPassReverse /api/fonto http://localhost:9191/api/fonto > > #QID 12680: HTTP TRACE / TRACK Methods Enabled > TraceEnable off > > > Confidentiality Warning: This email and any files transmitted with it may > be confidential and are intended solely for the use of the individual or > entity to whom they are addressed. If you have received this email in > error, please notify the sender immediately and delete this original > message and any copy of it from your computer system. If you are not the > intended recipient you are notified that disclosing, copying, distributing > or taking any action in reliance on the contents of this email is strictly > prohibited. Disclaimer: This email may contain information that is intended > to lend technical knowledge and support to the recipient. Laws, > regulations, and best practices change, and the observations and comments > drawn today may not apply to laws, regulations, or best practices as they > may be in the future. Any recommendations made by J. J. Keller staff are > offered in strictly an advisory capacity and are not to be construed as > legal advice. Recipients seeking legal advice should consult with legal > counsel. J. J. Keller & Associates, Inc. P. O. Box 368, Neenah, WI > 54957-0368 > -- Eric Covener cove...@gmail.com
