
Researchers discovered vulnerabilities discovered in the Apache HTTP Server could potentially expose sensitive information and allow attackers to perform further attacks.
The two important vulnerabilities that have been recently discovered in Apache HTTP Server are tracked as CVE-2023-27522 and CVE-2023-25690
CVE-2023-27522: Apache HTTP Server mod_proxy response splitting
This bug is caused by an error in mod_proxy_uwsgi, which can allow a remote attacker to inject arbitrary HTTP headers and cause the server to return a split response which in turn potentially allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and obtain sensitive information. The issue affects Apache HTTP Server versions from 2.4.30 through 2.4.55.
The attack is executed by inserting special characters in the origin response header, which can truncate or split the response forwarded to the client. This can be exploited by the attacker to inject their own headers and cause the server to return a split response.
CVE-2023-25690: Apache HTTP Server request splitting
This bug is caused by an error in mod_proxy when enabled with some form of RewriteRule or ProxyPassMatch. A remote attacker could exploit this vulnerability to bypass access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow for HTTP Request Smuggling attacks.
A non-specific pattern matches some portion of the user-supplied request-target data and is then re-inserted into the proxied request-target using variable substitution. This could result in request splitting or smuggling, bypassing access controls, and proxying unintended URLs to existing origin servers, which could lead to cache poisoning.
To stay safe, it is essential to promptly update Apache HTTP Server to the latest version 2.4.56. Additionally, organizations should consider implementing a Web Application Firewall to detect and block HTTP request splitting and response splitting attacks.