mod_proxy and POST bug in Apache?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
One of the things about using Freenode is that they scan you when you
connect to them.  As a user, you agree to that.  That's not a problem
for me, but it pointed out something recently.

I run Apache 2.2.11 with mod_proxy.  I only allow, or so I thought,
proxy connections from internal hosts.  ProxyRequests is Off for my
virtual server that faces the Internet.  Freenode checks for that.

When they scanned me, my Apache correctly responded 405 to their CONNECT
request for a non-local URL, but it happily responded 200 to their POST
request for a non-local URL.  POST scanning from them is new within the
last week.

I've been unable to find any mention of this behavior of httpd on the
web, including and BugTraq, the two (I think) most obvious
places to check.

It seems logical to me that Freenode now does this scan because they
know something.  But other than discovering I'm vulnerable to it, I
haven't been able to find anything about it.

It seems like an Apache bug to me.  What does anybody know?

Re: mod_proxy and POST bug in Apache?

Allen Kistler wrote:
Quoted text here. Click to load it

So I did my own pen attempt on myself.  Apache just returns my
index.html for the POST.  Successfully returning index.html is why the
return code is 200.  It didn't actually proxy anything.

Site Timeline