Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache fix for Unauthenticated/Open Web Proxy vulnerability? |
|
| Author |
|
pks
Joined: 18 Sep 2024
Posts: 4
Location: Appleton
|
 Posted: Tue 24 Sep '24 16:11 Post subject: Apache fix for Unauthenticated/Open Web Proxy vulnerability? |
 |
|
Hello,
We are using Apache HTTPD 2.4.53 for an internal content management system. It is not customer-facing. The security solution considers the proxy as vulnerable with an "Unauthenticated/Open Web Proxy Detected" security vulnerability. After many back and forth with them to check if it's a false positive, we still made these changes in httpd.conf file as per this Apache documentation https://httpd.apache.org/docs/current/howto/auth.html
Do you think this is the fix for the above-mentioned vulnerabilities? The reason to ask here is that Qualys doesn't provide any CVE and asks us to confirm from Apache.
Here is how we made the changes in Apache's httpd.conf file
AllowOverride AuthConfig
....
ProxyRequests On
....
<Proxy *>
Order deny,allow
Deny from all
Allow from corpr.company_domain.local
</Proxy>
....
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen
...........
=================Vulnerability Details==============
62054- Unauthenticated/Open Web Proxy Detected (External)
62002- Unauthenticated/Open Web Proxy Detected
IMPACT:
Successful exploitation may allow unauthorized users to browse the Internet with your IP address , your Intranet and Web server. This may also be
exploited to scan non-http services inside your firewall.
SOLUTION:
Reconfigure your proxy.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RREESSUULLTTSS::
GET http://QualysScannerApplianceIP:32943/ HTTP/1.0
======================
| Code: |
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AllowOverride AuthConfig
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
Order allow,deny
Allow from corpr.company_domain.local
#Sept 2024 - Attempting to fix unauthenticated proxy vul (QIDs 62002 and 62054)
AuthType Basic
AuthName "Restricted Files"
## (Following line optional)
#AuthBasicProvider file
AuthUserFile "C:\httpd-2.4.53-win64-VS16\Apache24\passwd\passwords"
Require user rbowen
</Directory>
# Mod_Proxy Settings
<VirtualHost *>
ProxyRequests On
ProxyTimeout 3600
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Deny from all
Allow from corpr.company_domain.local
</Proxy>
</VirtualHost>
ProxyPass /fontoxml http://localhost:9191/fontoxml
ProxyPassReverse /fontoxml http://localhost:9191/fontoxml
ProxyPass /api/fonto/proxy/spell-checker http://localhost:6050
ProxyPassReverse /api/fonto/proxy/spell-checker http://localhost:6050
ProxyPass /api/fonto http://localhost:9191/api/fonto
ProxyPassReverse /api/fonto http://localhost:9191/api/fonto
#QID 12680: HTTP TRACE / TRACK Methods Enabled
TraceEnable off
|
Last edited by pks on Tue 24 Sep '24 21:46; edited 2 times in total |
|
| Back to top |
|
covener
Joined: 23 Nov 2008
Posts: 59
|
| Posted: Tue 24 Sep '24 18:52 Post subject: |
|
|
| Is it intentionally a forward proxy, or is "ProxyRequests on" not needed and ProxyPass is used in front of your CMS? |
|
| Back to top |
|
pks
Joined: 18 Sep 2024
Posts: 4
Location: Appleton
|
| Posted: Tue 24 Sep '24 21:53 Post subject: |
|
|
Thank you for your reply. I am not 100% sure how and why it's configured this way, but I see ProxyPass,ProxyPassReverse elements as well. Does that mean we should either use forward proxy (with ProxyRequests On ) or reverse proxy (configurations with ProxyPass, ProxyPassReverse elements and typically has ProxyRequests Off)? I am also trying to get in touch with internal team to clarify.
I just updated the "Code" section with more information. |
|
| Back to top |
|
pks
Joined: 18 Sep 2024
Posts: 4
Location: Appleton
|
| Posted: Tue 24 Sep '24 22:08 Post subject: |
|
|
This is the solution given by Qualys, which we tried to apply within httpd.conf. Let me know if we misunderstood:
SOLUTION:
Configure your proxy server to only allow connections from valid users/hosts within your internal network, or to require authentication in order
to use the proxy services. If you need more assistance on how to do this, please contact the vendor of the proxy software. |
|
| Back to top |
|
pks
Joined: 18 Sep 2024
Posts: 4
Location: Appleton
|
| Posted: Fri 04 Oct '24 17:51 Post subject: |
|
|
Thank you for pointing it out.
After turning off the ProxyRequests and making one change within the below snippet resolved the Qualys vulnerabilities 62002 and 62054.
<Directory "${SRVROOT}/cgi-bin">
AllowOverride None
Options None
Require all denied
</Directory>
We did make sure it doesn't break the integration we had with Apache HTTPD. Thanks again. |
|
| Back to top |
|
|
|
|
|
|
