httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51482] New: Issue with rewrite and mod_autoindex
Date Wed, 06 Jul 2011 13:33:05 GMT

             Bug #: 51482
           Summary: Issue with rewrite and mod_autoindex
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Core
    Classification: Unclassified

Hi there,

I've just experienced some pretty critical issues with a rewriting rule
allowing a user to list your local filesystem where the apache2 is running.

Create this simple vhost :

<VirtualHost *:80>

        UseCanonicalName On

        DocumentRoot /RDC/

       <Directory /RDC/>
               Options -Indexes +FollowSymLinks
                AllowOverride None

        RewriteEngine On
        RewriteRule     ^(.*)                                   $1    [last]

       RewriteLog /tmp/test.log
       RewriteLogLevel 3

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"
t=%T" time
        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" t=%T" f5_forwarder

        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" is-forwarder

        CustomLog /data/test.log time env=!is-forwarder
        CustomLog /data/test.log f5_forwarder env=is-forwarder

        ServerSignature Off


Once this is done try to access . The mod_autoindex and
mod_dir must be loaded, and the DirectoryIndex must contain at least

You should be able to list the content of the directory if the user who is
running has the legitimate right.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message