Apache HTTP Server: Vulnerability CVE-2023-25690 closed after PoC
by Tina Siering
Vulnerability CVE-2023-25690 fixed
The Apache Foundation announced in early March 2023 that it has fixed security vulnerability CVE-2023-25690 in Apache HTTP Server 2.4.56. The implemented fix prevents control characters from being included in a proxy request. This vulnerability had a CVSS score of 9.8 because it had the potential to bypass access controls. Before a security researcher published a proof of concept on 21 May 2023, the issue appeared to go largely unnoticed.
Certain configurations of mod_proxy in Apache HTTP Server versions 2.4.0 through 2.4.55 can be exploited for an "HTTP Request Smuggling" attack.
How an HTTP request smuggling attack works
HTTP Request Smuggling is a sophisticated attack method that exploits inconsistencies in the processing of HTTP requests by different web infrastructure components. Attackers use this technique to manipulate the interpretation of requests, bypass security measures, inject payloads undetected and for potential access to sensitive data or even remote command execution.
This vulnerability occurs when mod_proxy is enabled along with RewriteRule or ProxyPassMatch, where a non-specific pattern matches part of the user-supplied request target data (URL) and is then inserted into the proxy request target using variable substitution.
The proof of concept showed how this vulnerability in the Apache HTTP Server can be exploited for header injection and request smuggling attacks against a vulnerable application. To be affected by this vulnerability, however, several conditions must be met:
- The Apache server configuration must contain a RewriteRule that copies data into the query string of a proxy URL.
(Possible scenario: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?param=$1"; [P]. As a result, request splitting or smuggling may occur, leading to circumvention of access controls on the proxy server, unintended forwarding of URLs to existing source servers, and cache poisoning).
- The application must consider the proxy as a significant security boundary.
- The application must be using a vulnerable version of the Apache HTTP Server (2.4.55 or earlier).
Data flow PoC attack / source: GitHub
Users are advised to upgrade to version 2.4.56 (or later) of Apache HTTP Server.