[Dshield] Is This Depicting a Security Hole in HTTPD?

Brian Dessent brian at dessent.net
Tue Dec 6 18:19:56 GMT 2005


Jean-Pierre Schwickerath wrote:

> I tried this on my machine but I always got the local website. No way to
> relay anything through it. But I might not have enough imagination....
> Anyway, I believe you need to have the Apache Proxy-module or run
> another proxy on port 80 to relay this kind of things, don't you?

Unless you specifically set up the httpd.conf to allow proxy-CONNECT
then it's likely that you are not an open proxy.  The "success" error
code can be misleading, see
<http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan>.  You really
have to go out of your way to setup Apache as an open proxy, it will
most certainly not do that by default.  So if you are using a stock
config you have nothing to worry about.

Brian


More information about the list mailing list