Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems.
The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit ... but it is nonetheless nasty. A possible patch for the vulnerability was suggested by an Apache developer from Red Hat on Wednesday but has yet to be fully tested. In the meantime, web admins would be well advised to nail down their systems.
The as-yet-unpatched bug was discovered by Prutha Parikh, a security researcher at Qualys, who came across it while in the process of researching another reverse proxy issue.
Parikh has published a detailed explanation of the flaw – alongside proof of concept code – in a post on the Qualys blog here. ®