CVE-2023-25690

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.

Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:

RewriteEngine on
RewriteRule “^/here/(.*)” “http://example.com:8080/elsewhere?$1”; [P]
ProxyPassReverse /here/ <http://example.com:8080/&gt;

Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.

Recent assessments:

rbowes-r7 at May 24, 2023 4:09pm UTC reported:

This issue requires a fairly specific configuration to work. First, Apache has to be configured in a pretty specific way – a RewriteRule that passes user-controlled data into a query string. This line, from our configuration file above, is exploitable, as the $1 (user data) is after the ? (start of the query string):

RewriteRule "^/(.*)" "http://localhost:8081/?arg=$1" [P]

Whereas even a small change will break the exploit; this does not work:

RewriteRule "^/(.*)" "http://localhost:8081/$1" [P]

Additionally, this must be a security boundary — that is, smuggling an HTTP request must bypass some sort of access control check. We put together a Github search that tries to find software that would be exploitable if it was running on a vulnerable version of Apache, but nothing stands out as particularly interesting.

Applications and devices that come as complete images with multiple servers (such as a lot of enterprise software) would probably be better targets, but checking each one is difficult. We looked into this as an alternative way to exploit CVE-2022-1388, since the core of that vulnerability involved bypassing a reverse proxy’s security checks, but its configuration is not vulnerable to CVE-2023-25690.

The final place we’d expect to see vulnerabilities is in reverse proxies that are configured to enforce some kind of ACL check or filtering, and that also do URL rewriting. One would have to test the specific configuration and application(s) that are being proxied; there’s no easy way to scan for this sort of issue.

While we are not aware of any specific applications that are vulnerable to this, they may turn up as people investigate this vulnerability more.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 1