Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F1B058111 for ; Thu, 15 Sep 2011 14:24:02 +0000 (UTC) Received: (qmail 46128 invoked by uid 500); 15 Sep 2011 14:24:02 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 46074 invoked by uid 500); 15 Sep 2011 14:24:02 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 46066 invoked by uid 99); 15 Sep 2011 14:24:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Sep 2011 14:24:02 +0000 X-ASF-Spam-Status: No, hits=2.9 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [173.201.193.111] (HELO p3plsmtpa08-10.prod.phx3.secureserver.net) (173.201.193.111) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 15 Sep 2011 14:23:56 +0000 Received: (qmail 14364 invoked from network); 15 Sep 2011 14:23:35 -0000 Received: from unknown (76.252.112.72) by p3plsmtpa08-10.prod.phx3.secureserver.net (173.201.193.111) with ESMTP; 15 Sep 2011 14:23:35 -0000 Message-ID: <4E720A4F.6000201@rowe-clan.net> Date: Thu, 15 Sep 2011 09:23:11 -0500 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: "dev@httpd.apache.org" Subject: Fwd: Mis-configured Rewrite Rule Exposed Filesystem References: <34828EBA396F2A4584464588427F713F0770C4@vEx02.init.de> In-Reply-To: <34828EBA396F2A4584464588427F713F0770C4@vEx02.init.de> X-Forwarded-Message-Id: <34828EBA396F2A4584464588427F713F0770C4@vEx02.init.de> Content-Type: multipart/mixed; boundary="------------050206090203040900010508" This is a multi-part message in MIME format. --------------050206090203040900010508 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit not acked --------------050206090203040900010508 Content-Type: message/rfc822; name="Mis-configured Rewrite Rule Exposed Filesystem.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="Mis-configured Rewrite Rule Exposed Filesystem.eml" Received: (qmail 15347 invoked from network); 15 Sep 2011 10:32:02 -0000 Received: from unknown (HELO m1pismtp01-016.prod.mesa1.secureserver.net) ([10.8.12.16]) (envelope-sender ) by smtp06-02.prod.mesa1.secureserver.net (qmail-1.03) with SMTP for ; 15 Sep 2011 10:32:02 -0000 X-IronPort-Anti-Spam-Result: AtcBAJzScU6M0wsDkGdsb2JhbABCgk2jfYEXAQEBAQkJDQcUBiCBVQEBAwECKhkKKQYBAwQBAwEGJBsCBwMBAREwEgEEDgIDBQOHcbUuAoYSYASTR4UcimQ+bA Received: from hermes.apache.org (HELO mail.apache.org) ([140.211.11.3]) by m1pismtp01-016.prod.mesa1.secureserver.net with SMTP; 15 Sep 2011 03:32:02 -0700 Received: (qmail 31193 invoked by uid 500); 15 Sep 2011 10:32:00 -0000 Mailing-List: contact security-help@apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list security@apache.org Received: (qmail 31187 invoked by uid 99); 15 Sep 2011 10:32:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Sep 2011 10:32:00 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received: from [195.43.52.29] (HELO spb02.init.de) (195.43.52.29) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Sep 2011 10:31:54 +0000 From: "Ahmad, Rami (init)" To: "security@apache.org" CC: "]init[ Support Middle-East" Subject: Mis-configured Rewrite Rule Exposed Filesystem Thread-Topic: Mis-configured Rewrite Rule Exposed Filesystem Thread-Index: AcxzkmejePm4mJWmTvWOylrgb6RMbQ== Date: Thu, 15 Sep 2011 10:31:29 +0000 Message-ID: <34828EBA396F2A4584464588427F713F0770C4@vEx02.init.de> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.74.123] Content-Type: multipart/alternative; boundary="_000_34828EBA396F2A4584464588427F713F0770C4vEx02initde_" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org X-Nonspam: None --_000_34828EBA396F2A4584464588427F713F0770C4vEx02initde_ Content-Type: text/plain; charset="windows-1256" Content-Transfer-Encoding: quoted-printable Dear Apache Security Team, I would like to report the following security bug we have found. We have done update on Apache server from 2.0.x to 2.2.x. Afterwards, the r= oot filesystem was exposed to public. The root cause was the following misc= onfigured rewrite rule: RewriteRule ^(.*) $1 [E=3DORDNER:X,E=3DTOMCAT:http://10.x.= x.x/X] After fixing the rewrite rule the root filesystem was hidden from public as= it should be. Fixed rule is: RewriteRule ^(.*) - [E=3DORDNER:X,E=3DTOMC= AT:http://10.x.x.x/X] The following is details of my environment: OS: Red Hat Enterprise Linux Server release 5.7 (Tikanga) i686 Apache: 2.2.21 Please let me know if you require more information. And advise if you confi= rm this security bug. Best Regards, ------------------------------------------------------ ]init[ Middle East - Digital Communication Rami Ahmad Professional System Administrator Abu Dhabi Mall, East Tower, Office No. E103 P.O. Box 109551 Abu Dhabi, U.A.E. Office: +971 26445560 Mobile: +971 (0)561231587 Fax: +971 26445622 rami.ahmad@init.de http://www.init.ae ]init[ AG fuer digitale Kommunikation =96 Abu Dhabi Branch =C5=ED=E4=ED=CA =E1=E1=C5=CA=D5=C7=E1 =C7=E1=D1=DE=E3=ED =D4=D1=DF=E5 =E3= =D3=C7=E5=E3=E5 - =DD=D1=DA =C3=C8=E6=D9=C8=ED --_000_34828EBA396F2A4584464588427F713F0770C4vEx02initde_ Content-Type: text/html; charset="windows-1256" Content-Transfer-Encoding: quoted-printable

Dear Apache Security Team,

 

I would like to report the following security bug we= have found.

 

We have done update on Apache server from 2.0.x to 2= .2.x. Afterwards, the root filesystem was exposed to public. The root cause= was the following misconfigured rewrite rule:

 

        &nbs= p;       RewriteRule ^(.*) $1  [E=3DORDNER:X,E=3DTOMCAT:http://10.x.x.x/X]

After fixing the rewrite rule the root filesystem wa= s hidden from public as it should be.

 

Fixed rule is:       &= nbsp;          RewriteRule ^(.= *) -  [E=3DORDNER:X,E=3DTOMCAT:http://10.x.x.x/X]

 

The following is details of my environment:

 

OS: Red Hat Enterprise Linux Server release 5.7 (Tik= anga) i686

Apache: 2.2.21

 

Please let me know if you require more information. = And advise if you confirm this security bug.

 

Best Re= gards,

&n= bsp;

-------= -----------------------------------------------

]ini= t[ Middle East - Digital Communication

Rami Ah= mad

Profess= ional System Administrator

Abu Dhabi Mall, East Tower, Office No. E103=

P.O. Box 109551

Abu Dhabi, U.A.E.

Offi= ce: +971 26445560

Mobile: +971 (0)561231587 
Fax:        +971 26445622

rami.ahmad@init.de

http://www= .init.ae

 

]init[ AG fuer digi= tale Kommunikation =96 Abu Dhabi Branch

=C5=ED=E4=ED= =CA =E1=E1=C5=CA=D5=C7=E1 =C7=E1=D1=DE=E3=ED =D4=D1=DF=E5 =E3=D3=C7=E5=E3= =E5 - =DD=D1=DA =C3=C8=E6=D9=C8=ED

 

--_000_34828EBA396F2A4584464588427F713F0770C4vEx02initde_-- --------------050206090203040900010508--