CVE-2011-3639

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.0.x through 2.0.64 Apache HTTP Server versions 2.2.x before 2.2.18

Description The issue arises from the mod proxy module's improper interaction with RewriteRule and ProxyPassMatch pattern matches when configured as a reverse proxy. This allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character.

Recommendations For Apache HTTP Server versions 2.0.x through 2.0.64, update to a version that includes the complete fix for the issue. For Apache HTTP Server versions 2.2.x before 2.2.18, update to version 2.2.18 or later. As a temporary workaround, consider restricting access to the mod proxy module until a patch is available.