Apache HTTP Server fixes two HTTP request splitting (CVE-2023-27522 & CVE-2023-25690) flaws
Apache HTTP Server is one of the most widely used web servers in the world, powering millions of websites and applications. However, recent vulnerabilities discovered in the server could potentially expose sensitive information and allow attackers to perform further attacks. Here are two important vulnerabilities that have been recently discovered in Apache HTTP Server:
CVE-2023-27522: Apache HTTP Server mod_proxy response splitting
This vulnerability is caused by an error in mod_proxy_uwsgi, which can allow a remote attacker to inject arbitrary HTTP headers and cause the server to return a split response. This could potentially allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and obtain sensitive information. The issue affects Apache HTTP Server versions from 2.4.30 through 2.4.55.
The attack is executed by inserting special characters in the origin response header, which can truncate or split the response forwarded to the client. This can be exploited by the attacker to inject their own headers and cause the server to return a split response.
CVE-2023-25690: Apache HTTP Server request splitting
This vulnerability is caused by an error in mod_proxy when enabled with some form of RewriteRule or ProxyPassMatch. A remote attacker could exploit this vulnerability to bypass access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow for HTTP Request Smuggling attacks.
CVE-2023-25690 arises when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch, in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data, and is then re-inserted into the proxied request-target using variable substitution. This could result in request splitting or smuggling, bypassing access controls, and proxying unintended URLs to existing origin servers, which could lead to cache poisoning.
Protecting Your Server
To protect your system from these vulnerabilities, it is essential to promptly update Apache HTTP Server to the latest version (2.4.56). Additionally, organizations should consider implementing a Web Application Firewall (WAF) to detect and block HTTP request splitting and response splitting attacks.