httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuel Vogel <samy-de...@gmx.de>
Subject Re: [users@httpd] RewriteRule exposing system directories
Date Thu, 13 Dec 2007 18:36:28 GMT
I guess I would have to mention, that this is inside of the virtual host 
definition!

Samuel Vogel schrieb:
> Hey guys,
>
> I just noticed a really bad security problem on my servers!
> The following RewriteRule exposes my system directories like /etc and 
> /var etc. :
>
> RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
> RewriteRule (.*) /%2/$1 [L]
>
> I do not understand why thou. Maybe this is not the real origin of the 
> problem, but when I disable those lines, the system directories are 
> not accessible anymore.
> The rewriting is supposed to rewrite sub.user.domain.de to 
> user.domain.de/sub. Which works, but if you put "etc" in place of 
> "sub", it goes to "/etc/" and not to "/my/docroot/user/ect/".
>
> Why is that the case? And how can I prevent this?
>
> Regards,
> Samy
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message