mod_proxy problem in Apache v1.2b8

Valgamon (valgy@GNU.AI.MIT.EDU)
Mon, 28 Apr 1997 23:16:42 -0400

A little(?) problem I noticed in the eighth beta of Apache v1.2

Synopsis:

When the proxy module is compiled into the server executable, and the
access configuration file is set up for host-based denial, an attacker can
still access the proxy and effectively appear to be coming from your host
while browsing the web. This problem seems to be platform-independent.

Background:

I was testing Apache's viability as an alternative to the TIS Firewall
Toolkit's HTTP proxy. The access.conf file had been correctly set to deny
all hosts access to the proxy except for my testing machine, as follows:

<Directory proxy:*>
<Limit GET>
order deny,allow
deny from all
allow from testing.machine.ip.address
</Limit>
</Directory>

Yet it still allows any host to retrieve any website as long as you leave
off the trailing forward slash from the GET request. When telnetting to
the proxy port from hosts that should be denied access to the proxy, I
issued two very similar GET requests and got two different results.

GET http://www.yahoo.com <--- gives you the page!! It should not!
GET http://www.yahoo.com/ <--- denies you, like it's supposed to.

The only difference is that forward slash on the end of the 2nd request.

The docs are very sparse in this area so I emailed apache-bugs@apache.org.
Chuck Murcko responded, confirming that this was indeed a new bug, and
assured me that it will be fixed in 1.2b10.

Temporary Fix: use a <File> block instead of <Directory>.

--
Lou Rinaldi - Co-Founder of the Connecticut Free Unix Group (www.CFUG.org)
"Many people equate the word 'daemon' with the word 'demon,' implying some
 kind of Satanic connection between UNIX and the underworld." -Evi Nemeth