A newly discovered flaw in Apache web servers could allow attackers to use servers configured as "reverse proxies" to gain access to or attack systems hidden from public view. The bug in Apache's reverse proxy mode only affects servers that have been configured incorrectly, but that error isn't an obvious one, since it doesn't interfere with normal operations. The flaw could be used by attackers to reach Web-enabled resources on other servers connected to the same network as the proxy.(...)
The security hole, discovered by Qualys Security Labs' Prutha Parikh, allows attackers using a specially crafted HTTP GET request to alter the universal resource indicator (URI) created by Apache's remote proxy module, diverting it from the destination set in rules and allowing the attacker to access other systems on the network.
Notícia completa na ArsTechnica