httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51482] New: Issue with rewrite and mod_autoindex
Date Wed, 06 Jul 2011 13:33:05 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51482

             Bug #: 51482
           Summary: Issue with rewrite and mod_autoindex
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jeanpralo@gmail.com
    Classification: Unclassified


Hi there,


I've just experienced some pretty critical issues with a rewriting rule
allowing a user to list your local filesystem where the apache2 is running.

Create this simple vhost :

<VirtualHost *:80>
        ServerName test.com

        UseCanonicalName On

        DocumentRoot /RDC/test.com

       <Directory /RDC/test.com>
               Options -Indexes +FollowSymLinks
                AllowOverride None
        </Directory>

        RewriteEngine On
        RewriteRule     ^(.*)                                   $1    [last]

       RewriteLog /tmp/test.log
       RewriteLogLevel 3

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"
t=%T" time
        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" t=%T" f5_forwarder

        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" is-forwarder

        CustomLog /data/test.log time env=!is-forwarder
        CustomLog /data/test.log f5_forwarder env=is-forwarder

        ServerSignature Off

</VirtualHost>



Once this is done try to access http://test.com/etc/ . The mod_autoindex and
mod_dir must be loaded, and the DirectoryIndex must contain at least
index.html.


You should be able to list the content of the directory if the user who is
running has the legitimate right.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message