Apache Httpd < 2.0.65 : mod_proxy reverse proxy exposure

2011-09-16T00:00:00
ID HTTPD:957760910D8CC358871C30AD5A1D2A5F
Type httpd
Reporter Apache Team Foundation
Modified 2013-07-22T00:00:00

Description

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released. Patches will be published to https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/