[Forgot Password]
Login  Register Subscribe

24128

 
 

131573

 
 

110204

 
 

909

 
 

85984

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2011-3368Date: (C)2011-10-05   (M)2018-06-20


The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : CVSS Score : 5.0
Exploit Score: Exploit Score: 10.0
Impact Score: Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: Access Vector: NETWORK
Attack Complexity: Access Complexity: LOW
Privileges Required: Authentication: NONE
User Interaction: Confidentiality: PARTIAL
Scope: Integrity: NONE
Confidentiality: Availability: NONE
Integrity:  
Availability:  
  
Reference:
SECTRACK-1026144
EXPLOIT-DB-17969
http://seclists.org/fulldisclosure/2011/Oct/232
http://seclists.org/fulldisclosure/2011/Oct/273
http://seclists.org/fulldisclosure/2015/Apr/5
SECUNIA-46288
SECUNIA-46414
SECUNIA-48551
BID-49957
OSVDB-76079
APPLE-SA-2012-09-19-2
DSA-2405
HPSBMU02748
HPSBOV02822
IAVM:2012-A-0017
IAVM:2012-A-0152
IAVM:2012-B-0056
MDVSA-2011:144
MDVSA-2013:150
RHSA-2011:1391
RHSA-2011:1392
RHSA-2012:0542
RHSA-2012:0543
SE49723
SE49724
SSRT100966
SUSE-SU-2011:1229
http://web.archiveorange.com/archive/v/ZyS0hzECD5zzb2NkvQlt
apache-modproxy-information-disclosure(70336)
http://kb.juniper.net/JSA10585
http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html
http://support.apple.com/kb/HT5501
http://svn.apache.org/viewvc?view=revision&revision=1179239
http://www.contextis.com/research/blog/reverseproxybypass/
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
https://bugzilla.redhat.com/show_bug.cgi?id=740045
openSUSE-SU-2013:0243
openSUSE-SU-2013:0248

CPE    100
cpe:/a:apache:http_server:1.3.32
cpe:/a:apache:http_server:2.0.45
cpe:/a:apache:http_server:1.3.31
cpe:/a:apache:http_server:2.0.44
...
CWE    1
CWE-20
OVAL    18
oval:org.secpod.oval:def:700672
oval:org.secpod.oval:def:10695
oval:org.secpod.oval:def:600726
oval:org.secpod.oval:def:10725
...

© SecPod Technologies