The reverse proxy feature (mod_proxy) has a new vulnerability. If pattern matching is used, a crafted attack (using invalid inputs - even though this does not involve SQL the "Little Bobby Tables" XKCD comes to mind again, for like the 3rd time this week ! ) can expose information on internal hosts. Full details (and remediation) here ==> http://seclists.org/fulldisclosure/2011/Oct/232 Patch is available for 2.2.21 here==> http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ the CVE is pretty sparse, but look for more content soon ==> CVE-2011-3368 =============== |
Rob VandenBrink 578 Posts ISC Handler Oct 6th 2011 |
Thread locked Subscribe |
Oct 6th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!