[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#212030: apache: mod_proxy allows the world to use it - letting spammers bounce through it

Package: apache
Version: 1.3.27.1-3
Severity: normal
Tags: security

Today I recieved a warning from my ISP because another client of his
saw that my machine was trying to send spam messages though its SMTP
server.  The report from the complainer looked like this:

h8H0rcr11849: ruleset=check_rcpt, arg1=<klonger@swbell.net>,
relay=line105-145.adsl.actcom.co.il [192.117.105.145], reject=550 5.7.1
<klonger@swbell.net>... Relaying denied

It really looks like the spam comes from my machine.  Apache's logs for
that period contained error messages like:

[Wed Sep 17 00:58:37 2003] [error] [client 67.202.110.253] (111)Connection refus
ed: proxy connect to 192.117.106.16 port 25 failed

And sometimes:

[Wed Sep 17 01:57:05 2003] [error] [client 64.216.222.87] Invalid method in requ
est QUIT

My guess is that the spammer somehow causes Apache to redirect SMTP connections
through its mod_proxy.

The relevant parts in httpd.conf were:
--------------------------------------------------------
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
....
<IfModule mod_proxy.c>

   # Proxy Server directives. Uncomment the following lines to
   # enable the proxy server:
   #
   <IfModule mod_proxy.c>
   ProxyRequests On

   <Directory proxy:*>
       Order deny,allow
       #Deny from all
       #Allow from .your_domain.com
       Allow from all
   </Directory>
</IfModule>
--------------------------------------------------------

I think this is a security bug (can cause DoS) because

1. It allows the system to be used to bounce spam e-mail, and I was lucky
   that my ISP was friendly enough to call me before pulling the plug on
   my connection,
2. It can also just generally load my link if someone uses my proxy on
   the other side of my ADSL line, just to DoS me.

Thanks,

--Amos

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux picton 2.4.20 #2 Tue May 13 23:12:56 IDT 2003 i686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8

Versions of packages apache depends on:
ii  apache-common                 1.3.27.1-3 Support files for all Apache webse
ii  debconf                       1.3.14     Debian configuration management sy
ii  dpkg                          1.10.15    Package maintenance system for Deb
ii  libc6                         2.3.2-7    GNU C Library: Shared libraries an
ii  libdb4.1                      4.1.25-6   Berkeley v4.1 Database Libraries [
ii  libexpat1                     1.95.6-6   XML parsing C library - runtime li
ii  libmagic1                     4.03-3     File type determination library us
ii  logrotate                     3.6.5-2    Log rotation utility
ii  mime-support                  3.23-1     MIME files 'mime.types' & 'mailcap
ii  perl [perl5]                  5.8.0-21   Larry Wall's Practical Extraction 

-- debconf information:
  apache/enable-suexec: false
Reply to: