108090 2003-07-22 19:29 /18 rader/ Jason Robertson <jason@ifuture.com> Importerad: 2003-07-22 19:29 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <5678> Ärende: Apache 1.3.27 mod_proxy security issue ------------------------------------------------------------ I have found that recently a spammer has been using a mod_proxy configuration, (that was meant to allow for an easier transition to a new naming scheme, as well as changes to a backend software) as a spam relay. The spammer has been using HTTP POST requests to send these messages with POST HTTP://mailserver:25/ HTTP/1.1 With some research it looks like this is an automated process including the initial scan stage. When I contacted Apache in regards to this, the response was not very promising. This problem would be a simple fix with implementing the AllowConnect configuration option within proxy_http, to prevent outbound connections. Jason (108090) /Jason Robertson <jason@ifuture.com>/(Ombruten) 108175 2003-07-23 18:11 /93 rader/ William A. Rowe, Jr. <wrowe@apache.org> Importerad: 2003-07-23 18:11 av Brevbäraren Extern mottagare: Jason Robertson <jason@ifuture.com> Mottagare: Bugtraq (import) <5688> Kommentar till text 108090 av Jason Robertson <jason@ifuture.com> Ärende: Re: Apache 1.3.27 mod_proxy security issue ------------------------------------------------------------ The Security Team responded 13 minutes after Jason's initial report, attempting to explain how he had misconfigured his server. While we acknowledge that new directives might be desirable in limited cases, the team determined that this is clearly a user configuration error. The Apache HTTP Server Documentation Project has been working to improve and further clarify the risks of open proxies, including open faux-HTTP proxies into SMTP servers. They actively solicit contributions to the documentation (preferably with a patch) for any ambiguous or insufficiently covered topics; http://httpd.apache.org/docs-project/ More details follow; At 11:52 AM 7/22/2003, Jason Robertson wrote: >I have found that recently a spammer has been using a mod_proxy >configuration, (that was meant to allow for an easier transition to a >new naming scheme, as well as changes to a backend software) as a spam >relay. >The spammer has been using HTTP POST requests to send these messages >with POST HTTP://mailserver:25/ HTTP/1.1 >With some research it looks like this is an automated process including >the initial scan stage. > >When I contacted Apache in regards to this, the response was not very >promising. > >This problem would be a simple fix with implementing the AllowConnect >configuration option within proxy_http, to prevent outbound >connections. As described in the default configuration, open proxies are never recommended [from Apache 1.3.27 conf/httpd.conf-dist]; # # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # #<IfModule mod_proxy.c> # ProxyRequests On # <Directory proxy:*> # Order deny,allow # Deny from all # Allow from .your-domain.com # </Directory> # # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block # # ProxyVia On # # To enable the cache as well, edit and uncomment the following lines: # (no cacheing without CacheRoot) # # CacheRoot "@@ServerRoot@@/proxy" # CacheSize 5 # CacheGcInterval 4 # CacheMaxExpire 24 # CacheLastModifiedFactor 0.1 # CacheDefaultExpire 1 # NoCache a-domain.com another-domain.edu joes.garage-sale.com #</IfModule> # End of proxy directives. If (for the purposes of collecting several machine's collective content) you are attempting to ProxyPass a number of URI's to different boxes, you should NOT be enabling ProxyRequests. The final statements in the ProxyRequests directive documentation are; http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests "This allows or prevents Apache from functioning as a proxy server. Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass directive." "Warning: Do not enable proxying until you have <http://httpd.apache.org/docs/mod/mod_proxy.html#access>secured your server. Open proxy servers are dangerous both to your network and to the Internet at large." Access control is briefly illustrated further with additional references in; http://httpd.apache.org/docs/mod/mod_proxy.html#access Bill (108175) /William A. Rowe, Jr. <wrowe@apache.org>/(Ombruten)