The module mod_rewrite in Apache httpd is affected by an open redirect vulnerability (CVE-2020-1927, CVE-2019-10098). Such redirects can be configured on the virtual host in the WAF Configuration Center [1].
Depending on the configured redirects, an attacker may be able to craft an URL that gets transformed by Airlock WAF to an URL that points to an attacker controlled destination. Note that open redirect vulnerabilities are especially useful for attackers trying to conduct phishing campains.
With the Apache httpd update 2.4.43 mod_rewrite was changed to prevent some common mistakes related to insecure redirect configurations. But since this fix will not prevent open redirect vulnerabilities in general, we recommend to check your configuration manually.
We recommend to check your redirect settings in all virtual hosts (tab "Advanced") or on the Configuration Summary Page in section "Path Rewrites".
If you are not using backreferences like $1, $2, ..., $N, your configuration is safe.
If you are using backreferences you have to think whether an attacker is able to craft an URLs that will be transformed to a malicious URL, e.g. a URL that points to an attacker controlled host.
Examples [2]
R: Redirect setting [from => to]
E: Exploit example (URL to be transformed by Airlock WAF
D: Resulting redirect URL
R: ^/oldwebsite(.*) => $1 E: https://redirect.local/oldwebsitehttp://evilwebsite.com/ D: http://evilwebsite.com/ R: ^/page(.*) => $1.html E: https://redirect.local/pagehttp://evilwebsite.com/evil D: http://evilwebsite.com/evil.html R: ^/api/(.*)/(.*) => http://$1:8080/$2 E: https://redirect.local/api/evilwebsite.com/foo D: http://evilwebsite.com:8080/foo R: (.*)$ => https://redirect.local$1 E: https://redirect.local/%0a.evilwebsite.com D: https://redirect.local.evilwebsite.com R: (.*)$ => https://redirect.local:443$1 E: https://redirect.local/%0afoo@0day.work D: https://redirect.local:443foo@0day.work
If you found an insecure redirect we recommend changing it so that an attacker can not control critical parts of the destination URL like protocol, hostname, port or basic auth username/password.