The open source Apache HTTP Web Server is at risk from a reverse proxy flaw that is currently unpatched. The flaw was disclosed Qualys security researcher Purtha Parikh late last week and is related to a flaw that Apache first attempted to fix in October.
“While reviewing the patch for the older issue CVE-2011-3368, it appeared that it was still possible to make use of a crafted request that could exploit a fully patched Apache Web Server (Apache 2.2.21 with CVE-2011-3368 patch applied) to allow access to internal systems if the reverse proxy rules are configured incorrectly, Parikh reported.
Reverse proxies are commonly used for load balancing static and dynamic content across multiple internal Web servers in an organization. By design, a reverse proxy is supposed to help shield internal Web servers from external threats and direct access. The unpatched Apache flaw could enable an attacker to get unauthorized access to an improperly configured reverse proxy that could lead to an attack against the internal servers.