![](https://img.photobucket.com/albums/v704/chanpicco/chanpicco014/Uninett%20mod_auth_mellon_vul_Mar_2019-s_zpsgxbm1i2d.jpg)
Preface: The statistic by Netcraft in January 2019, Apache server coverage market reach 30.88%.
Technical background: Apache server not only contain web server service, it can config as a reserve proxy server to enhance the web infrastructure isolation level. Single sign-on authentication method growth significant in past few years. A popular web architecture model, setup Apache become reserve proxy service and thus integrate to single sign on (SAML) function.
Vulnerability detail: If Apache is configured as a reverse proxy with mod_auth_mellon for authentication, the authentication can be bypassed by adding SAML 2.0 ECP headers to the request.
Official announcement and security fixes: https://github.com/Uninett/mod_auth_mellon/releases