Operating System:

[WIN][UNIX/Linux]

Published:

10 March 2023

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2023.1518 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1518
        CVE-2023-25690: Apache HTTP Server: HTTP request splitting
                      with mod_rewrite and mod_proxy
                               10 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache HTTP Server
Publisher:         Apache
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-25690  

Original Bulletin: 
   https://httpd.apache.org/security/vulnerabilities_24.html

Comment: CVSS (Max):  5.3 CVE-2023-25690 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

Severity: important

Description:

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through
2.4.55 allow a HTTP Request Smuggling attack.


Configurations are affected when mod_proxy is enabled along with some form 
of RewriteRule or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:


RewriteEngine on
RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1"; 
http://example.com:8080/elsewhere ; [P]
ProxyPassReverse /here/  http://example.com:8080/ http://example.com:8080/


Request splitting/smuggling could result in bypass of access controls in
the proxy server, proxying unintended URLs to existing origin servers, and
cache poisoning.

Credit:

Lars Krapf of Adobe (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2023-25690

Timeline:

2023-02-02: reported

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZArKrckNZI30y1K9AQjZ+xAAkXS0xvWxlXkov1AKUcz3X+pzrehPaH9h
9Z6V4JmBJDrk6C6GZ6OCKwOFVvBJb2V00Ws5SJAvUBFSnP2ZgbU0h1Ao3c762gOB
jWTpZ8uN0KQGevYTBi1zHUynwrVn7/gk0jb88sIf3hT52/a/xj2siRWR8wZWsqXW
BuRzgm32gYYXPA4plpasZnkwK40UoJh3JSi+oyyNR0kqyfzXOD72Sc8QBXPw1izz
zh+0DR7s1IUMciGmSgNha3D7aBrh/Ht5jKK2+/vDcHyyewa6qZJfiaBZ9g/8Tutw
LQCrckI3utUjFCj74WKOQ93ocuKf/iai36Us7D9Hh6QzL3F8nDsjoX0VWlEVOzwa
996lI/6LUD0/xlwe7HJ3LxiPEeLUPe5owjeyiHDqTBqU/8s/mJDGv1U/R/HdUCul
HctkFTTJLkGhQncjuWUGIN9yf0JC0mQT2j31CCj/TIylipjij1CBz0hBZzBbJaZx
M2nI0owX7HzfM48Nr8nu0AmmESWEnFOLXCu318wiEsiJSBVvJC9cBHj2xS1hDEKS
L9vr3a8xJjXqSPI8ubCROQgGZPsqPRt2wYxZxXltc9Bn7EpLPuwYISzMJoXshgE2
jECdmjhT3FRnEO3LVX+PBos/bQi8Qfn/Z+PtrpzJ2cpo1BSnIYF9FLofjtHclpH3
BcJB1DYwgZo=
=RdpO
-----END PGP SIGNATURE-----