HTTP Request Smuggling, a vulnerability that made headlines over the last decade, is back on the radar with a new exploit code for CVE-2023-25690 released recently. This exploits code targets specific configurations of the Apache HTTP Server, a widely-used web server software, and has the potential to cause serious damage to affected systems.
The Vulnerability: CVE-2023-25690
CVE-2023-25690 is a newly discovered vulnerability that affects Apache HTTP Server versions 2.4.0 through 2.4.55. This bug is present in some configurations of mod_proxy, a module of the Apache HTTP Server used for proxying HTTP requests.
The vulnerability is specifically triggered when mod_proxy is enabled alongside RewriteRule or ProxyPassMatch, where a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target via variable substitution. For example:
apacheCopy codeRewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1" [P] ProxyPassReverse /here/ http://example.com:8080/
In this case, request splitting/smuggling could lead to a bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.
CVE 2023 25690 – Proof of Concept
Published: 7 March 2023
|Base score||Confidentiality||Availability Impact||Availability impact|
Implications of the Vulnerability
The consequences of this vulnerability are significant. Bypassing access controls could grant an attacker unauthorized access to sensitive data or systems while proxying unintended URLs could expose internal systems or allow for the facilitation of additional attacks. Cache poisoning, meanwhile, can corrupt the data served to users, potentially leading to further compromises.
The Apache Software Foundation has acknowledged this issue and released a fix with Apache HTTP Server version 2.4.56. Users are strongly recommended to update their servers to this version or later as soon as possible to mitigate the risk.
Until the update can be applied, administrators could consider disabling mod_proxy or changing their configurations to not reinsert user-supplied URL data into proxied request targets as an interim measure. However, these changes may have their own operational impacts, and a full update is the only surefire way to fix the vulnerability.
GIPHY App Key not set. Please check settings