oss-sec mailing list archives

CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

From: Eric Covener <covener () apache org>
Date: Tue, 07 Mar 2023 12:55:07 +0000

Severity: important

Description:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.




Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and is then
 re-inserted into the proxied request-target using variable 
substitution. For example, something like:




RewriteEngine on
RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1"; http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/  http://example.com:8080/ http://example.com:8080/ 


Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to 
existing origin servers, and cache poisoning.

Credit:

Lars Krapf of Adobe (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25690

Timeline:

2023-02-02: reported

Current thread:

CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy Eric Covener (Mar 07)