CVE-2011-3368: httpd: reverse web proxy vulnerability

CVE ID

CVE-2011-3368

DESCRIPTION

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

Unitrends risk assessment:  None (mod_proxy module is not loaded)

RESOLUTION

For CentOS6, the issue was fixed in httpd-2.2.15-9.el6_1.3 and unitrends systems with security updates have httpd-2.2.15-54.el6 or later which includes this.

 

LINK TO ADVISORIES

  • https://nvd.nist.gov/vuln/detail/CVE-2011-3368
  • https://access.redhat.com/security/cve/cve-2011-3368
  • https://access.redhat.com/errata/RHSA-2011:1391

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section