CVE-2011-4317

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 1.3.x through 1.3.42 Apache HTTP Server versions 2.0.x through 2.0.64 Apache HTTP Server versions 2.2.x through 2.2.21

Description The issue arises from the mod proxy module not properly interacting with the use of RewriteRule and ProxyPassMatch pattern matches for configuration of a reverse proxy. This allows remote attackers to send requests to intranet servers via a malformed URI containing an @ character and a : character in invalid positions. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Apache HTTP Server versions 1.3.x through 1.3.42, consider disabling the mod proxy module until a patch is available. For Apache HTTP Server versions 2.0.x through 2.0.64, restrict access to the mod proxy module to minimize the risk of exploitation. For Apache HTTP Server versions 2.2.x through 2.2.21, avoid using the RewriteRule and ProxyPassMatch directives in the mod proxy configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.