Thanks for alerting everyone.
Apache 1.3 and all series 2 versions up to 2.2.20 are affected. As a workaround, an extra slash can be added to the rewrite rulehttp://www.contextis.com/research/blog/ ... oxybypass/
Quote:"If the Apache configuration file is configured like this (prior to Apache's recent update):
RewriteRule ^(.*) http://internalserver:80$1 [P]
And not like this:
RewriteRule ^(.*) http://internalserver:80/$1 [P]
Then access from the internet to any internal system that is accessible from the inside of the proxy is possible; the difference is the trailing slash after the port number."
This only effects you if you are using apache as a reverse proxy and expecting it to protect systems behind it and acting as a firewall. So if you arent doing that, dont worry about it.
OK, now personal thoughts on this class of vulnerabilities. This is IMHO an example of a vulnerability that occurs when you trust user input. I'm all for code that tries to protect you from yourself, so please don't anyone misunderstand my comments. This can only be exploited if you happen to write trusting mod_rewrite rules. In short, this isnt a vulnerability in the code, the code is doing exactly what someone configured mod_rewrite to do. Its not much of a surprise that the bad guys can put whatever they want into $1, you're reading in and trusting their input which could be anything!
So, its all well and good if mod_rewrite tries to protect you from cases were you might do this, but it can't make all input nonmalicious, so this shouldnt be treated as another example where everyone patches and just moves on. Instead, let this episode serve as an opportunity to review your mod_rewrite rules or anything else for that matter where you are trusting user input. If you find cases where you assume the user can only inject a specific input, and if they injected something malicious bad things might happen - then its time to do some fixin.
This type of vulnerability can happen with any application (thats why we have WAF rules afterall). Write whatever you are writing always with the idea in mind that someone could put anything they want into that variable or input field, including malicious input. So always make sure that user input is always treated as malicious and untrusted.