Prutha Parikh, a security specialist, reported that the patch released by Apache in October could still allow for an attacker to remotely access internal servers that rely on this technology.
Apache already acknowledged the problem and assigned it a new CVE to make sure it will be dealt with in the next release.
Parikh also released a
proof of concept that shows how a fully patched Apache Web Server that has the
RewriteRule/ProxyPassMatch rules incorrectly configured is still susceptible to an attack.
Until the issue is solved by Apache, the researcher proposes a very simple method that could act as a workaround for preventing any unfortunate incidents.
“Apache has not yet released a patch for this issue. Until a patch is released, configuring the reverse proxy rules correctly will prevent this issue from occurring,” she said.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
