COMMAND

    httpd

SYSTEMS AFFECTED

    Systems running Apache v1.2b8

PROBLEM

    Valgamon discovered a problem in  the eighth beta of Apache  v1.2.
    When the proxy module is compiled into the server executable,  and
    the access configuration file is set up for host-based denial,  an
    attacker can still access the  proxy and effectively appear to  be
    coming from your host while  browsing the web. This problem  seems
    to be platform-independent.

    He was  testing Apache's  viability as  an alternative  to the TIS
    Firewall  Toolkit's  HTTP  proxy.  The  access.conf  file had been
    correctly set to deny all hosts access to the proxy except for  my
    testing machine, as follows:

        <Directory proxy:*>
        <Limit GET>
        order deny,allow
        deny from all
        allow from testing.machine.ip.address
        </Limit>
        </Directory>

    Yet it still allows  any host to retrieve  any website as long  as
    you leave  off the  trailing forward  slash from  the GET request.
    When  telnetting  to  the  proxy  port  from  hosts that should be
    denied access to the proxy,  Valgamon issued two very similar  GET
    requests and got two different results.

        GET http://www.yahoo.com     <--- gives you the page!! It should not!
        GET http://www.yahoo.com/    <--- denies you, like it's supposed to.

    The only difference is  that forward slash on  the end of the  2nd
    request.

SOLUTION

    Chuck Murcko at  apache.org confirmed that  this is a  new bug and
    assured that will be fixed in 1.2b10.  Temporary Fix: use a <File>
    block instead of <Directory>.