Description
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
A configuration like one of the following examples:
RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2
could result in an exposure of internal servers. A request of the form:
GET @other.example.com/something.png HTTP/1.1
would get translated to a target of:
http://images.example.com@other.example.com/something.png
This will cause the proxy to connect to the hostname "other.example.com", as the "images.example.com@" segment would be
treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those
expected, which could be a security exposure in some circumstances.
Remediation
Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. Affected users can update their configuration, or apply the patch.
For example, the above RewriteRule could be changed to:
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]
to ensure the pattern only matches against paths with a leading "/".
References
Related Vulnerabilities
PostgreSQL Improper Input Validation Vulnerability (CVE-2014-0066)
SAML Consumer Service External Dereference SSRF
Moodle Improper Input Validation Vulnerability (CVE-2012-6101)
Squid Improper Input Validation Vulnerability (CVE-2016-2570)
WordPress Improper Input Validation Vulnerability (CVE-2014-9038)