lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.2.0.9.2.20030722170958.01750988@pop3.rowe-clan.net>
Date: Tue, 22 Jul 2003 17:30:39 -0500
From: "William A. Rowe, Jr." <wrowe@...che.org>
To: "Jason Robertson" <jason@...ture.com>
Subject: Re: Apache 1.3.27 mod_proxy security issue


The Security Team responded 13 minutes after Jason's initial report,
attempting to explain how he had misconfigured his server.  While we
acknowledge that new directives might be desirable in limited cases, 
the team determined that this is clearly a user configuration error.

The Apache HTTP Server Documentation Project has been working
to improve and further clarify the risks of open proxies, including open
faux-HTTP proxies into SMTP servers.  They actively solicit contributions
to the documentation (preferably with a patch) for any ambiguous or 
insufficiently covered topics;

  http://httpd.apache.org/docs-project/

More details follow;

At 11:52 AM 7/22/2003, Jason Robertson wrote:
>I have found that recently a spammer has been using a mod_proxy 
>configuration, (that was meant to allow for an easier transition to a 
>new naming scheme, as well as changes to a backend software) as a spam 
>relay.  
>The spammer has been using HTTP POST requests to send these messages
>with POST HTTP://mailserver:25/ HTTP/1.1  
>With some research it looks like this is an automated process including 
>the initial scan stage.
>
>When I contacted Apache in regards to this, the response was not very 
>promising. 
>
>This problem would be a simple fix with implementing the AllowConnect 
>configuration option within proxy_http, to prevent outbound 
>connections.  

As described in the default configuration, open proxies are never
recommended [from Apache 1.3.27 conf/httpd.conf-dist];

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#    ProxyRequests On

#    <Directory proxy:*>
#        Order deny,allow
#        Deny from all
#        Allow from .your-domain.com
#    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
#    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "@@ServerRoot@@/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a-domain.com another-domain.edu joes.garage-sale.com

#</IfModule>
# End of proxy directives.

If (for the purposes of collecting several machine's collective content)
you are attempting to ProxyPass a number of URI's to different boxes,
you should NOT be enabling ProxyRequests.

The final statements in the ProxyRequests directive documentation are;

http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests

  "This allows or prevents Apache from functioning as a proxy server. 
   Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass 
   directive."

  "Warning: Do not enable proxying until you have <http://httpd.apache.org/docs/mod/mod_proxy.html#access>secured your server. 
   Open proxy servers are dangerous both to your network and to the 
   Internet at large."

Access control is briefly illustrated further with additional references in;

http://httpd.apache.org/docs/mod/mod_proxy.html#access

Bill



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ