Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How to fix "HTTP Proxy POST Request Relaying" by |
|
| Author |
|
danielc
Joined: 15 Jul 2022
Posts: 3
Location: HK
|
 Posted: Fri 15 Jul '22 8:42 Post subject: How to fix "HTTP Proxy POST Request Relaying" by |
 |
|
Hello,
I have a apache server act as proxy using ProxyPass and ProxypassReverse:
ProxyPass /proton/CMS http://192.168.2.14 retry=1 acquire=3000 timeout=600 Keepalive=On
ProxyPass /proton/LMS http://192.168.2.15
ProxyPassReverse /proton/LMS http://192.168.2.15
It is working fine.
But we received our security auditor report saying:
| Quote: | HTTP Proxy Arbitrary Site/Port Relaying
The remote proxy, allows everyone to perform requests against arbitrary ports, such as :
'GET http://cvs.nessus.org:110'.
This problem may allow attackers to go through your firewall, by connecting to sensitive ports like 25 (sendmail) using the proxy. In addition to that, it might be used to perform attacks against other networks.
|
| Quote: | HTTP Proxy POST Request Relaying
The proxy allows the users to perform POST requests such as
POST http://cvs.nessus.org:21
without any Content-length tag.
This request may give an attacker the ability to have an interactive session.
This problem may allow attackers to go through your firewall, by connecting to sensitive ports like 23 (telnet) using your proxy, or it can allow internal users to bypass the firewall rules and connect to ports they should not be allowed to.
In addition to that, your proxy may be used to perform attacks against other networks.
|
However I am not sure how to setup the ACL to prevent the GET,POST request except remote port 80,443, would you please point me out the direction how to limit this? Thanks.
Daniel |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Sat 16 Jul '22 22:43 Post subject: |
|
|
Hi Daniel,
the default "ProxyRequests Off" prevents that. Unless you turn it on.
You may also set "ProxyVia Block"
You can also limit the connections to your reverse proxy with Require. Well that works only if you have a fixed range of IPs.
In my opinion is that a false positive. You don't run a forward proxy. |
|
| Back to top |
|
|
|
|
|
|
