 |
|
| Linux Forum Index » Linux Security » mod_proxy and POST bug in Apache?... |
|
Page 1 of 1 |
|
| Author |
Message |
| Allen Kistler... |
 Posted: Wed Aug 12, 2009 1:23 am |
|
|
|
Guest
|
One of the things about using Freenode is that they scan you when you
connect to them. As a user, you agree to that. That's not a problem
for me, but it pointed out something recently.
I run Apache 2.2.11 with mod_proxy. I only allow, or so I thought,
proxy connections from internal hosts. ProxyRequests is Off for my
virtual server that faces the Internet. Freenode checks for that.
When they scanned me, my Apache correctly responded 405 to their CONNECT
request for a non-local URL, but it happily responded 200 to their POST
request for a non-local URL. POST scanning from them is new within the
last week.
I've been unable to find any mention of this behavior of httpd on the
web, including apache.org and BugTraq, the two (I think) most obvious
places to check.
It seems logical to me that Freenode now does this scan because they
know something. But other than discovering I'm vulnerable to it, I
haven't been able to find anything about it.
It seems like an Apache bug to me. What does anybody know? |
|
|
| Back to top |
|
|
|
| Allen Kistler... |
| Posted: Wed Aug 12, 2009 12:40 pm |
|
|
|
Guest
|
Allen Kistler wrote:
Quote:
[snip]
When they scanned me, my Apache correctly responded 405 to their CONNECT
request for a non-local URL, but it happily responded 200 to their POST
request for a non-local URL.
[snip]
It seems like an Apache bug to me. What does anybody know?
So I did my own pen attempt on myself. Apache just returns my
index.html for the POST. Successfully returning index.html is why the
return code is 200. It didn't actually proxy anything. |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Tue Dec 01, 2009 5:40 pm
|
|