CVE-2011-3368

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 1.3.x through 1.3.42 Apache HTTP Server versions 2.0.x through 2.0.64 Apache HTTP Server versions 2.2.x through 2.2.21

Description The issue arises from the mod proxy module's improper interaction with RewriteRule and ProxyPassMatch pattern matches when configuring a reverse proxy. This allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character, potentially disclosing sensitive information from internal web servers.

Recommendations For Apache HTTP Server versions 1.3.x through 1.3.42, apply the patch from https://archive.apache.org/dist/httpd/patches/apply to 1.3.42/ to resolve the issue. For Apache HTTP Server versions 2.0.x through 2.0.64, update to a version that includes the fix for this issue. For Apache HTTP Server versions 2.2.x through 2.2.21, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of the RewriteRule and ProxyPassMatch directives in the mod proxy module until a patch is applied.