httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 46954] New: Rewrite rule exposes script path
Date Thu, 02 Apr 2009 07:02:28 GMT

           Summary: Rewrite rule exposes script path
           Product: Apache httpd-2
           Version: 2.0.63
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite

Apache 2.0.63 , Windows 2003 Web

I'm not sure if this is actually a bug or if I've written a bad rewrite rule
but if it happened to me it may happen to others.

I was trying to write a rule that would catch all url's that don't end with "/"
because I had a lot of bots searching for various words like "dba", "admin",
"dev", "datenbank", "database" and so on, and I also have search engines using
"" instead of "" and failing:

So here's the rule that I came up with:

RewriteRule ^([a-zA-Z0-9]+)$ $1/ [QSA,L,R]

Instead of redirecting to it actually
redirects users to and obviously
giving a 403 but the harm is already done.

Adding a / in front of $1 solved the problem.

I will actually replace the rule to something like RewriteRule ^([a-zA-Z0-9]+)$
verify.php?$1 [QSA,L] so that I catch those IP's that try various keywords and
add them to firewall after several attempts.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message