A new version of the ubiquitous Apache HTTP Server released Tuesday fixes two important security flaws that can allow an attacker to perform HTTP smuggling attacks against a vulnerable server.
One of the flaws (CVE-2023-27522) is an HTTP response smuggling bug, while the other (CVE-2023-25690) is an HTTP request smuggling vulnerability. The former vulnerability affects versions 2.4.30 through 2.4.55 of the Apache HTTP Server, while the latter affects 2.4.0 through 2.4.55. Both bugs are fixed in version 2.4.56.
For an installation of the Apache HTTP Server to be affected by CVE-2023-26590, the mod_proxy function must be enabled. That module is designed to enable a proxy, cache, or gateway for the Apache server.
“Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution,” the Apache advisory says.
“For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.”
The second vulnerability also is related to the way that the mod_proxy module behaves.
“HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.Special characters in the origin response header can truncate/split the response forwarded to the client,” the advisory says.
The Apache HTTP Server is the most widely deployed web server in the world and is used widely in both hosting and enterprise environments. Organizations running vulnerable versions should upgrade as soon as is practicable to protect against these flaws.