logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache fix for Unauthenticated/Open Web Proxy vulnerability?
Author
pks



Joined: 18 Sep 2024
Posts: 4
Location: Appleton

PostPosted: Tue 24 Sep '24 16:11    Post subject: Apache fix for Unauthenticated/Open Web Proxy vulnerability? Reply with quote

Hello,

We are using Apache HTTPD 2.4.53 for an internal content management system. It is not customer-facing. The security solution considers the proxy as vulnerable with an "Unauthenticated/Open Web Proxy Detected" security vulnerability. After many back and forth with them to check if it's a false positive, we still made these changes in httpd.conf file as per this Apache documentation https://httpd.apache.org/docs/current/howto/auth.html

Do you think this is the fix for the above-mentioned vulnerabilities? The reason to ask here is that Qualys doesn't provide any CVE and asks us to confirm from Apache.

Here is how we made the changes in Apache's httpd.conf file

AllowOverride AuthConfig
....
ProxyRequests On
....
<Proxy *>
Order deny,allow
Deny from all
Allow from corpr.company_domain.local
</Proxy>
....
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen
...........



=================Vulnerability Details==============
62054- Unauthenticated/Open Web Proxy Detected (External)
62002- Unauthenticated/Open Web Proxy Detected
IMPACT:
Successful exploitation may allow unauthorized users to browse the Internet with your IP address , your Intranet and Web server. This may also be
exploited to scan non-http services inside your firewall.
SOLUTION:
Reconfigure your proxy.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RREESSUULLTTSS::
GET http://QualysScannerApplianceIP:32943/ HTTP/1.0
======================
Code:


#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AllowOverride AuthConfig
 
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
    Order allow,deny
    Allow from corpr.company_domain.local
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen

</Directory>


# Mod_Proxy Settings
 <VirtualHost *>
   ProxyRequests On
   ProxyTimeout 3600
   ProxyPreserveHost On
   
   <Proxy *>
      Order deny,allow
                Deny from all
                Allow from corpr.company_domain.local
   </Proxy>
</VirtualHost>
ProxyPass         /fontoxml  http://localhost:9191/fontoxml
ProxyPassReverse  /fontoxml  http://localhost:9191/fontoxml

ProxyPass         /api/fonto/proxy/spell-checker  http://localhost:6050
ProxyPassReverse  /api/fonto/proxy/spell-checker http://localhost:6050

ProxyPass         /api/fonto  http://localhost:9191/api/fonto
ProxyPassReverse  /api/fonto http://localhost:9191/api/fonto

#QID 12680: HTTP TRACE / TRACK Methods Enabled
TraceEnable off



Last edited by pks on Tue 24 Sep '24 21:46; edited 2 times in total
Back to top
covener



Joined: 23 Nov 2008
Posts: 59

PostPosted: Tue 24 Sep '24 18:52    Post subject: Reply with quote

Is it intentionally a forward proxy, or is "ProxyRequests on" not needed and ProxyPass is used in front of your CMS?
Back to top
pks



Joined: 18 Sep 2024
Posts: 4
Location: Appleton

PostPosted: Tue 24 Sep '24 21:53    Post subject: Reply with quote

Thank you for your reply. I am not 100% sure how and why it's configured this way, but I see ProxyPass,ProxyPassReverse elements as well. Does that mean we should either use forward proxy (with ProxyRequests On ) or reverse proxy (configurations with ProxyPass, ProxyPassReverse elements and typically has ProxyRequests Off)? I am also trying to get in touch with internal team to clarify.
I just updated the "Code" section with more information.
Back to top
pks



Joined: 18 Sep 2024
Posts: 4
Location: Appleton

PostPosted: Tue 24 Sep '24 22:08    Post subject: Reply with quote

This is the solution given by Qualys, which we tried to apply within httpd.conf. Let me know if we misunderstood:

SOLUTION:
Configure your proxy server to only allow connections from valid users/hosts within your internal network, or to require authentication in order
to use the proxy services. If you need more assistance on how to do this, please contact the vendor of the proxy software.
Back to top
pks



Joined: 18 Sep 2024
Posts: 4
Location: Appleton

PostPosted: Fri 04 Oct '24 17:51    Post subject: Reply with quote

Thank you for pointing it out.
After turning off the ProxyRequests and making one change within the below snippet resolved the Qualys vulnerabilities 62002 and 62054.

<Directory "${SRVROOT}/cgi-bin">
AllowOverride None
Options None
Require all denied
</Directory>

We did make sure it doesn't break the integration we had with Apache HTTPD. Thanks again.
Back to top


Reply to topic   Topic: Apache fix for Unauthenticated/Open Web Proxy vulnerability? View previous topic :: View next topic
Post new topic   Forum Index -> Apache