Bug#212030: apache: mod_proxy allows the world to use it - letting spammers bounce through it
tags 212030 - security
thanks
On Sun, Sep 21, 2003 at 10:57:22PM +0300, Amos Shapira wrote:
> My guess is that the spammer somehow causes Apache to redirect SMTP connections
> through its mod_proxy.
>
> The relevant parts in httpd.conf were:
> --------------------------------------------------------
> LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
> ....
> <IfModule mod_proxy.c>
>
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
> <IfModule mod_proxy.c>
> ProxyRequests On
>
> <Directory proxy:*>
> Order deny,allow
> #Deny from all
> #Allow from .your_domain.com
> Allow from all
> </Directory>
> </IfModule>
> --------------------------------------------------------
>
> I think this is a security bug (can cause DoS) because
These lines are not present in the provided example configuration. The
example reads:
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
# ProxyRequests On
# <Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
# </Directory>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers
)
# Set to one of: Off | On | Full | Block
#
# ProxyVia On
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
# CacheRoot "@@ServerRoot@@/proxy"
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# NoCache a-domain.com another-domain.edu joes.garage-sale.com
#</IfModule>
# End of proxy directives.
You seem to have explicitly added "Allow from all", thus configuring it as an
open proxy. The security issue is with your configuration, not with apache.
--
- mdz
Reply to: