httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuel Vogel <>
Subject [users@httpd] RewriteRule exposing system directories
Date Thu, 13 Dec 2007 18:31:40 GMT
Hey guys,

I just noticed a really bad security problem on my servers!
The following RewriteRule exposes my system directories like /etc and 
/var etc. :

RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
RewriteRule (.*) /%2/$1 [L]

I do not understand why thou. Maybe this is not the real origin of the 
problem, but when I disable those lines, the system directories are not 
accessible anymore.
The rewriting is supposed to rewrite to Which works, but if you put "etc" in place of "sub", 
it goes to "/etc/" and not to "/my/docroot/user/ect/".

Why is that the case? And how can I prevent this?


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message