Hello, We are using Apache HTTPD 2.4.53 for an internal content management system. It is not customer-facing. The security solution considers the proxy vulnerable to an "Unauthenticated/Open Web Proxy Detected" vulnerability. After many back and forths with them to check if it's a false positive, we still made these changes in httpd.conf file as per this Apache documentation https://httpd.apache.org/docs/current/howto/auth.html
Do you think this is the fix for the above-mentioned vulnerabilities? The reason to ask here is that Qualys doesn't provide any CVE and asks us to confirm from Apache. This is the solution given by Qualys, which we tried to apply within httpd.conf. Let me know if we misunderstood: SOLUTION: Configure your proxy server to only allow connections from valid users/hosts within your internal network, or to require authentication in order to use the proxy services. If you need more assistance on how to do this, please contact the vendor of the proxy software. =================Vulnerability Details============== 62054- Unauthenticated/Open Web Proxy Detected (External) 62002- Unauthenticated/Open Web Proxy Detected IMPACT: Successful exploitation may allow unauthorized users to browse the Internet with your IP address , your Intranet and Web server. This may also be exploited to scan non-http services inside your firewall. SOLUTION: Reconfigure your proxy. COMPLIANCE: Not Applicable EXPLOITABILITY: There is no exploitability information for this vulnerability. ASSOCIATED MALWARE: There is no malware information for this vulnerability. RREESSUULLTTSS:: GET http://QualysScannerApplianceIP:32943/<http://qualysscannerapplianceip:32943/> HTTP/1.0 ====================== Here is how we made the changes in Apache's httpd.conf file Code: #Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054) AllowOverride AuthConfig #Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054) Order allow,deny Allow from corpr.company_domain.local #Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054) AuthType Basic AuthName "Restricted Files" ## (Following line optional) #AuthBasicProvider file AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords" Require user rbowen </Directory> # Mod_Proxy Settings <VirtualHost *> ProxyRequests On ProxyTimeout 3600 ProxyPreserveHost On <Proxy *> Order deny,allow Deny from all Allow from corpr.company_domain.local </Proxy> </VirtualHost> ProxyPass /fontoxml http://localhost:9191/fontoxml ProxyPassReverse /fontoxml http://localhost:9191/fontoxml ProxyPass /api/fonto/proxy/spell-checker http://localhost:6050 ProxyPassReverse /api/fonto/proxy/spell-checker http://localhost:6050 ProxyPass /api/fonto http://localhost:9191/api/fonto ProxyPassReverse /api/fonto http://localhost:9191/api/fonto #QID 12680: HTTP TRACE / TRACK Methods Enabled TraceEnable off Confidentiality Warning: This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately and delete this original message and any copy of it from your computer system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this email is strictly prohibited. Disclaimer: This email may contain information that is intended to lend technical knowledge and support to the recipient. Laws, regulations, and best practices change, and the observations and comments drawn today may not apply to laws, regulations, or best practices as they may be in the future. Any recommendations made by J. J. Keller staff are offered in strictly an advisory capacity and are not to be construed as legal advice. Recipients seeking legal advice should consult with legal counsel. J. J. Keller & Associates, Inc. P. O. Box 368, Neenah, WI 54957-0368
