httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46954] New: Rewrite rule exposes script path
Date Thu, 02 Apr 2009 07:02:28 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46954

           Summary: Rewrite rule exposes script path
           Product: Apache httpd-2
           Version: 2.0.63
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mariusads@helpedia.com


Apache 2.0.63 , Windows 2003 Web

I'm not sure if this is actually a bug or if I've written a bad rewrite rule
but if it happened to me it may happen to others.

I was trying to write a rule that would catch all url's that don't end with "/"
because I had a lot of bots searching for various words like "dba", "admin",
"dev", "datenbank", "database" and so on, and I also have search engines using
"site.com/gameboy" instead of "site.com/gameboy/" and failing:

So here's the rule that I came up with:

RewriteRule ^([a-zA-Z0-9]+)$ $1/ [QSA,L,R]

Instead of redirecting www.site.com/word to www.site.com/word/ it actually
redirects users to www.site.com/DriveLetter/path/to/website/word/ and obviously
giving a 403 but the harm is already done.

Adding a / in front of $1 solved the problem.

I will actually replace the rule to something like RewriteRule ^([a-zA-Z0-9]+)$
verify.php?$1 [QSA,L] so that I catch those IP's that try various keywords and
add them to firewall after several attempts.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message