[Dshield] Is This Depicting a Security Hole in HTTPD?
brian at dessent.net
Tue Dec 6 18:19:56 GMT 2005
Jean-Pierre Schwickerath wrote:
> I tried this on my machine but I always got the local website. No way to
> relay anything through it. But I might not have enough imagination....
> Anyway, I believe you need to have the Apache Proxy-module or run
> another proxy on port 80 to relay this kind of things, don't you?
Unless you specifically set up the httpd.conf to allow proxy-CONNECT
then it's likely that you are not an open proxy. The "success" error
code can be misleading, see
<http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan>. You really
have to go out of your way to setup Apache as an open proxy, it will
most certainly not do that by default. So if you are using a stock
config you have nothing to worry about.
More information about the list