You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Samuel Vogel <sa...@gmx.de> on 2007/12/13 19:31:40 UTC
[users@httpd] RewriteRule exposing system directories
Hey guys,
I just noticed a really bad security problem on my servers!
The following RewriteRule exposes my system directories like /etc and
/var etc. :
RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
RewriteRule (.*) /%2/$1 [L]
I do not understand why thou. Maybe this is not the real origin of the
problem, but when I disable those lines, the system directories are not
accessible anymore.
The rewriting is supposed to rewrite sub.user.domain.de to
user.domain.de/sub. Which works, but if you put "etc" in place of "sub",
it goes to "/etc/" and not to "/my/docroot/user/ect/".
Why is that the case? And how can I prevent this?
Regards,
Samy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Samuel Vogel <sa...@gmx.de>.
I guess I would have to mention, that this is inside of the virtual host
definition!
Samuel Vogel schrieb:
> Hey guys,
>
> I just noticed a really bad security problem on my servers!
> The following RewriteRule exposes my system directories like /etc and
> /var etc. :
>
> RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
> RewriteRule (.*) /%2/$1 [L]
>
> I do not understand why thou. Maybe this is not the real origin of the
> problem, but when I disable those lines, the system directories are
> not accessible anymore.
> The rewriting is supposed to rewrite sub.user.domain.de to
> user.domain.de/sub. Which works, but if you put "etc" in place of
> "sub", it goes to "/etc/" and not to "/my/docroot/user/ect/".
>
> Why is that the case? And how can I prevent this?
>
> Regards,
> Samy
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by "Neil A. Hillard" <ne...@agustawestland.com>.
Hi,
Vincent Bray wrote:
> On 14/12/2007, Neil A. Hillard <ne...@agustawestland.com> wrote:
>> To me this doesn't make sense. All rewriting is relative to the
>> DocumentRoot anyway so you shouldn't have to include it in the
>> RewriteRule. You can't use RewriteRule to map to arbitrary directories
>> in the filesystem.
>
> Hi Neil,
>
> That's flat wrong, sorry. Try it :-)
OK - I stand corrected. This looks to be something that was changed
between 2.0 and 2.2...
Neil.
--
Neil Hillard neil.hillard@agustawestland.com
AgustaWestland http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Vincent Bray <no...@gmail.com>.
On 14/12/2007, Neil A. Hillard <ne...@agustawestland.com> wrote:
> To me this doesn't make sense. All rewriting is relative to the
> DocumentRoot anyway so you shouldn't have to include it in the
> RewriteRule. You can't use RewriteRule to map to arbitrary directories
> in the filesystem.
Hi Neil,
That's flat wrong, sorry. Try it :-)
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by "Neil A. Hillard" <ne...@agustawestland.com>.
Hi,
Samuel Vogel wrote:
> It seems like Apache just forgets about the "../". A relative path to
> "../wcf/" called from "wbb.samy.domain.de" results in the following:
> [Thu Dec 13 21:26:24 2007] [error] [client 160.94.18.117] File does not
> exist: /data/apache/users/domain.de/samy/www/wbb/wcf, referer:
> http://wbb.samy.domain.de/
>
> When I call "samy.domain.de/wbb" it works thou!
This is obvious, really. You cannot go up past the root of
wbb.samy.domain.de. Therefore to access wcf.samy.domain.de you'll have
to use the FQDN. (Apache will map the request for
wbb.samy.domain.de/../wcf to wbb.samy.domain.de/wcf)
Accessing it through samy.domain.de means that you are accessing it from
the parent directory, therefore there is a ../wcf in relation to wbb.
> I turned on the RewriteLog, but the file stays emtpy:
> RewriteLog /data/apache/rewrite.log
> RewriteLogLevel 9
>
> The rights on the file are as followed (and apache created it by itself):
> -rwxrwxrwx 1 www-data www-data 0 2007-12-13 20:20 /data/apache/rewrite.log
>
> Does the errorlog snippet already contain enough information? If not so,
> then please hint me towards how to obtain the Rewrite log!
>
> Regards,
> Samy
>
>
> Vincent Bray schrieb:
>> On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
>>
>>> I don't understand why it worked beforehand with my insecure
>>> RewriteRule.
>>> Also in my opinion mod_rewrite should/does not change the path, it just
>>> makes it appear different!?
>>>
>>> For example, when I call "samy.domain.de/wbb" it works, but
>>> "wbb.domain.kilu.de/" it does not work. Rewriting looks like this now:
>>>
>>> RewriteCond %{HTTP_HOST} !^www\.samy\.domain\.de
>>> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.samy\.domain\.de
>>> RewriteRule (.*) %{DOCUMENT_ROOT}/%2/$1 [L]
To me this doesn't make sense. All rewriting is relative to the
DocumentRoot anyway so you shouldn't have to include it in the
RewriteRule. You can't use RewriteRule to map to arbitrary directories
in the filesystem.
I also really can't see why Apache would serve the contents of /etc if
you have your DocumentRoot set to /data/apache/users. You don't have
your DocumentRoot set to / do you?
Assuming your DocumentRoot is set to /data/apache/users then all data
served will be from within there.
If you are going to continue to use the above RewriteConds then you'll
need to escape the '.' in the second one, otherwise www3, wwwx, etc.
will match.
>>> Why does this break relative paths?
Because they try to go above the root.
>> That's hard to say without seeing the rewrite log. I don't know if ../
>> would be interpreted as part of the path in this case (I would guess
>> not, but check your error log for the paths of your 404s).
Neil.
--
Neil Hillard neil.hillard@agustawestland.com
AgustaWestland http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Samuel Vogel <sa...@gmx.de>.
It seems like Apache just forgets about the "../". A relative path to
"../wcf/" called from "wbb.samy.domain.de" results in the following:
[Thu Dec 13 21:26:24 2007] [error] [client 160.94.18.117] File does not
exist: /data/apache/users/domain.de/samy/www/wbb/wcf, referer:
http://wbb.samy.domain.de/
When I call "samy.domain.de/wbb" it works thou!
I turned on the RewriteLog, but the file stays emtpy:
RewriteLog /data/apache/rewrite.log
RewriteLogLevel 9
The rights on the file are as followed (and apache created it by itself):
-rwxrwxrwx 1 www-data www-data 0 2007-12-13 20:20 /data/apache/rewrite.log
Does the errorlog snippet already contain enough information? If not so,
then please hint me towards how to obtain the Rewrite log!
Regards,
Samy
Vincent Bray schrieb:
> On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
>
>> I don't understand why it worked beforehand with my insecure RewriteRule.
>> Also in my opinion mod_rewrite should/does not change the path, it just
>> makes it appear different!?
>>
>> For example, when I call "samy.domain.de/wbb" it works, but
>> "wbb.domain.kilu.de/" it does not work. Rewriting looks like this now:
>>
>> RewriteCond %{HTTP_HOST} !^www\.samy\.domain\.de
>> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.samy\.domain\.de
>> RewriteRule (.*) %{DOCUMENT_ROOT}/%2/$1 [L]
>>
>> Why does this break relative paths?
>>
>
> That's hard to say without seeing the rewrite log. I don't know if ../
> would be interpreted as part of the path in this case (I would guess
> not, but check your error log for the paths of your 404s).
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Vincent Bray <no...@gmail.com>.
On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
> I don't understand why it worked beforehand with my insecure RewriteRule.
> Also in my opinion mod_rewrite should/does not change the path, it just
> makes it appear different!?
>
> For example, when I call "samy.domain.de/wbb" it works, but
> "wbb.domain.kilu.de/" it does not work. Rewriting looks like this now:
>
> RewriteCond %{HTTP_HOST} !^www\.samy\.domain\.de
> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.samy\.domain\.de
> RewriteRule (.*) %{DOCUMENT_ROOT}/%2/$1 [L]
>
> Why does this break relative paths?
That's hard to say without seeing the rewrite log. I don't know if ../
would be interpreted as part of the path in this case (I would guess
not, but check your error log for the paths of your 404s).
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Samuel Vogel <sa...@gmx.de>.
Vincent Bray schrieb:
> On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
>
>> I did that, but unfortunately it breaks something else, which worked
>> before. When a page in a subdirectory tried to get an image from an
>> directory relative to the docroot, that does not work anymore.
>> This can be seen here: http://tinyurl.com/37owgr
>>
>
> I'm not sure I understand the question but it sounds like you're
> asking about why your relative links break when you change the path
> relative to them.. So, don't do that :-)
>
> When applying site-wide resources to html pages at
> /any/depth/of/your/site it's best to make them /absolute/urls then
> there's no confusion.
>
I don't understand why it worked beforehand with my insecure RewriteRule.
Also in my opinion mod_rewrite should/does not change the path, it just
makes it appear different!?
For example, when I call "samy.domain.de/wbb" it works, but
"wbb.domain.kilu.de/" it does not work. Rewriting looks like this now:
RewriteCond %{HTTP_HOST} !^www\.samy\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.samy\.domain\.de
RewriteRule (.*) %{DOCUMENT_ROOT}/%2/$1 [L]
Why does this break relative paths?
Regards,
Samy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Vincent Bray <no...@gmail.com>.
On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
> I did that, but unfortunately it breaks something else, which worked
> before. When a page in a subdirectory tried to get an image from an
> directory relative to the docroot, that does not work anymore.
> This can be seen here: http://tinyurl.com/37owgr
I'm not sure I understand the question but it sounds like you're
asking about why your relative links break when you change the path
relative to them.. So, don't do that :-)
When applying site-wide resources to html pages at
/any/depth/of/your/site it's best to make them /absolute/urls then
there's no confusion.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Samuel Vogel <sa...@gmx.de>.
Ok, thanks for the hint!
I did that, but unfortunately it breaks something else, which worked
before. When a page in a subdirectory tried to get an image from an
directory relative to the docroot, that does not work anymore.
This can be seen here: http://tinyurl.com/37owgr
How can I fix this? Maybe there is some trick I don't know about?
Regards,
Samy
Vincent Bray schrieb:
> On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
>
>> I just noticed a really bad security problem on my servers!
>> The following RewriteRule exposes my system directories like /etc and
>> /var etc. :
>>
>
> Hi,
>
> This is a common misconception, sadly. Documented here:
>
> http://wiki.apache.org/httpd/RewriteSecurity
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Vincent Bray <no...@gmail.com>.
On 13/12/2007, Samuel Vogel <sa...@gmx.de> wrote:
> I just noticed a really bad security problem on my servers!
> The following RewriteRule exposes my system directories like /etc and
> /var etc. :
Hi,
This is a common misconception, sadly. Documented here:
http://wiki.apache.org/httpd/RewriteSecurity
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteRule exposing system directories
Posted by Krist van Besien <kr...@gmail.com>.
On Dec 13, 2007 7:31 PM, Samuel Vogel <sa...@gmx.de> wrote:
> Hey guys,
>
> I just noticed a really bad security problem on my servers!
> The following RewriteRule exposes my system directories like /etc and
> /var etc. :
>
> RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
> RewriteRule (.*) /%2/$1 [L]
>
> I do not understand why thou. Maybe this is not the real origin of the
> problem, but when I disable those lines, the system directories are not
> accessible anymore.
> The rewriting is supposed to rewrite sub.user.domain.de to
> user.domain.de/sub. Which works, but if you put "etc" in place of "sub",
> it goes to "/etc/" and not to "/my/docroot/user/ect/".
The rule you show us above will rewrite
sub.user.domain.de/foo to /sub/foo,
sub.user.domain.de/ to /sub. Is this what you want? all your
subdomains live in the root?
I suppose what you want is:
RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
RewriteRule (.*) /my/doc/root/%2/$1 [L]
> Why is that the case? And how can I prevent this?
Firstly, if you want to know what is going on in your rewrite rules
turn on rewrite logging. It will tell you a bundle, and will give us
something to look at if you can't figure it out yourself.
Secondly, you should have the following in your httpd.conf:
<Directory />
Order Deny,Allow
Deny from all
</Directory>
This turns of access to your entire filesystem by default, which
protects you against accidentally showing stuff to the world. You can
then selectively make parts of your file system available again:
<Directory /my/doc/root>
Order Deny,Allow
Allow from all
</Directory>
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org