We run our servers with Debian and our CMS runs on Tomcat (for the backend) and Jetty (for the frontend). To make sophisticated URL rewrites possible we rely on Apache's mod_rewrite module. After a recent update of the installed Debian packages, suddenly all internal rewrites failed. Redirects were still working fine.
This caused us a major headache until we found the problem.
I first tried to enable all kind of logs. Rewrite logs, logs for mod_jk - they all seemed to work. mod_jk was reporting the correct, rewritten URL!
I then looked at /usr/share/doc/libapache-mod-jk/changelog.Debian.gz which had this entry at the top:
libapache-mod-jk (1:1.2.18-3etch1) stable-security; urgency=high
* Forward unparsed URI to tomcat. Closes: #425836.
Passing unparsed URIs? Well that's exactly the problem we where facing. CVE-2007-1860 describes a problem where attackers could force the use of a wrong worker.
A little bit more search finally brought up this bug report, which describes our exact problem. The mod_jk people promise a fix in the upcoming 1.2.24 release.
Unfortunately this release is not available yet. But a look at the updated mod_jk docs brought up the solution:
The directive JkOptions allow you to set many forwarding options […] The default value is “ForwardURICompatUnparsed” since version 1.2.23. Until version 1.2.22 the default value was “ForwardURICompat”.
So the solution was simple, putting
into the httpd.conf solved the problem. However it makes the system vulnerable for the mentioned security bug again. Because we only use a single worker for all paths, it does not affect us and this fix is good enough until the next release of mod_jk is available.