Bug#212030: marked as done (apache: mod_proxy allows the world to use it - letting spammers bounce through it)
Your message dated Mon, 22 Sep 2003 07:22:04 +0200 (CEST)
with message-id <Pine.LNX.4.58.0309220716380.11129@trider-g7.ext.fabbione.net>
and subject line Bug#212030: apache: mod_proxy allows the world to use it - letting spammers bounce through it
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Sep 2003 19:57:30 +0000
>From debian-bug@amos.mailshell.com Sun Sep 21 14:57:28 2003
Return-path: <debian-bug@amos.mailshell.com>
Received: from lmail.actcom.co.il (smtp1.actcom.net.il) [192.114.47.13]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1A1AKl-0006Nn-00; Sun, 21 Sep 2003 14:57:27 -0500
Received: from [192.117.105.145] (line105-145.adsl.actcom.co.il [192.117.105.145])
by smtp1.actcom.net.il (8.12.8/8.12.8) with ESMTP id h8LK2Ps5028513;
Sun, 21 Sep 2003 23:02:26 +0300
Message-Id: <[🔎] 200309212002.h8LK2Ps5028513@smtp1.actcom.net.il>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Amos Shapira <debian-bug@amos.mailshell.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache: mod_proxy allows the world to use it - letting spammers bounce
through it
X-Mailer: reportbug 2.29
Date: Sun, 21 Sep 2003 22:57:22 +0300
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-4.1 required=4.0
tests=HAS_PACKAGE,MSG_ID_ADDED_BY_MTA_3
version=2.53-bugs.debian.org_2003_9_20
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_20 (1.174.2.15-2003-03-30-exp)
Package: apache
Version: 1.3.27.1-3
Severity: normal
Tags: security
Today I recieved a warning from my ISP because another client of his
saw that my machine was trying to send spam messages though its SMTP
server. The report from the complainer looked like this:
h8H0rcr11849: ruleset=check_rcpt, arg1=<klonger@swbell.net>,
relay=line105-145.adsl.actcom.co.il [192.117.105.145], reject=550 5.7.1
<klonger@swbell.net>... Relaying denied
It really looks like the spam comes from my machine. Apache's logs for
that period contained error messages like:
[Wed Sep 17 00:58:37 2003] [error] [client 67.202.110.253] (111)Connection refus
ed: proxy connect to 192.117.106.16 port 25 failed
And sometimes:
[Wed Sep 17 01:57:05 2003] [error] [client 64.216.222.87] Invalid method in requ
est QUIT
My guess is that the spammer somehow causes Apache to redirect SMTP connections
through its mod_proxy.
The relevant parts in httpd.conf were:
--------------------------------------------------------
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
....
<IfModule mod_proxy.c>
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
Order deny,allow
#Deny from all
#Allow from .your_domain.com
Allow from all
</Directory>
</IfModule>
--------------------------------------------------------
I think this is a security bug (can cause DoS) because
1. It allows the system to be used to bounce spam e-mail, and I was lucky
that my ISP was friendly enough to call me before pulling the plug on
my connection,
2. It can also just generally load my link if someone uses my proxy on
the other side of my ADSL line, just to DoS me.
Thanks,
--Amos
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux picton 2.4.20 #2 Tue May 13 23:12:56 IDT 2003 i686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
Versions of packages apache depends on:
ii apache-common 1.3.27.1-3 Support files for all Apache webse
ii debconf 1.3.14 Debian configuration management sy
ii dpkg 1.10.15 Package maintenance system for Deb
ii libc6 2.3.2-7 GNU C Library: Shared libraries an
ii libdb4.1 4.1.25-6 Berkeley v4.1 Database Libraries [
ii libexpat1 1.95.6-6 XML parsing C library - runtime li
ii libmagic1 4.03-3 File type determination library us
ii logrotate 3.6.5-2 Log rotation utility
ii mime-support 3.23-1 MIME files 'mime.types' & 'mailcap
ii perl [perl5] 5.8.0-21 Larry Wall's Practical Extraction
-- debconf information:
apache/enable-suexec: false
---------------------------------------
Received: (at 212030-done) by bugs.debian.org; 22 Sep 2003 05:22:08 +0000
>From fabbione@fabbione.net Mon Sep 22 00:22:07 2003
Return-path: <fabbione@fabbione.net>
Received: from port5.ds1-sby.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.169.198]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1A1J9C-0008MH-00; Mon, 22 Sep 2003 00:22:06 -0500
Received: from trider-g7.ext.fabbione.net (port5.ds1-sby.adsl.cybercity.dk [212.242.169.198])
by trider-g7.fabbione.net (Postfix) with ESMTP id C08C63B;
Mon, 22 Sep 2003 07:22:04 +0200 (CEST)
Date: Mon, 22 Sep 2003 07:22:04 +0200 (CEST)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@trider-g7.ext.fabbione.net
To: Amos Shapira <debian-bug@amos.mailshell.com>,
212030-done@bugs.debian.org
Subject: Re: Bug#212030: apache: mod_proxy allows the world to use it -
letting spammers bounce through it
In-Reply-To: <[🔎] 200309212002.h8LK2Ps5028513@smtp1.actcom.net.il>
Message-ID: <Pine.LNX.4.58.0309220716380.11129@trider-g7.ext.fabbione.net>
References: <[🔎] 200309212002.h8LK2Ps5028513@smtp1.actcom.net.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: 212030-done@bugs.debian.org
X-Spam-Status: No, hits=-6.3 required=4.0
tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT,SIGNATURE_SHORT_SPARSE
version=2.53-bugs.debian.org_2003_9_21
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_21 (1.174.2.15-2003-03-30-exp)
On Sun, 21 Sep 2003, Amos Shapira wrote:
> Package: apache
> Version: 1.3.27.1-3
> Severity: normal
> Tags: security
>
> Today I recieved a warning from my ISP because another client of his
> saw that my machine was trying to send spam messages though its SMTP
> server. The report from the complainer looked like this:
>
[snip]
> My guess is that the spammer somehow causes Apache to redirect SMTP connections
> through its mod_proxy.
>
> The relevant parts in httpd.conf were:
> --------------------------------------------------------
> LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
> ....
> <IfModule mod_proxy.c>
>
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
> <IfModule mod_proxy.c>
> ProxyRequests On
>
> <Directory proxy:*>
> Order deny,allow
> #Deny from all
> #Allow from .your_domain.com
> Allow from all
> </Directory>
> </IfModule>
> --------------------------------------------------------
>
> I think this is a security bug (can cause DoS) because
This is just you that didn't configure apache correctly.
The original config is:
#<Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Directory>
You might want to notice the Allow from .your_domain.com. it is not there
for the sake of it. You Allow from all and mod_proxy is doing exactly what
is told to.
> 1. It allows the system to be used to bounce spam e-mail,
You told mod_proxy to be an open proxy. Nothing to blame to apache
Anyway i am closing this bug.
Fabio
--
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues
http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html
Reply to: