You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/07/27 19:00:32 UTC
DO NOT REPLY [Bug 42990] New: - modrewrite do not decode hex econde uri
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42990
Summary: modrewrite do not decode hex econde uri
Product: Apache httpd-2
Version: 2.0.54
Platform: All
OS/Version: Linux
Status: NEW
Keywords: TestID, RFC
Severity: major
Priority: P2
Component: Other Modules
AssignedTo: bugs@httpd.apache.org
ReportedBy: fiorenzi@tiscali.it
usind RewriteRule on proxy to match access to /cosole/ ofapplication server
console and to catch xss attack and redirect them outside has a problem
using on a virtual host this rewriterule:
RewriteRule ^/console/(.*) http://www.mynewdomain.it/$1 [L,P]
If I use on my browser http://www.mydomain.it/console/ it works
If I use on my browser http://www.mydomain.it/%63%6f%6e%73%6f%6c%65%2f that is
the hex format of "console/" it does not match and get an error like "The
requested URL /console/ was not found on this server"
using hex encoding I could potentially bypass Rewrite Engine rule, and bypass
proxy pass rule with result of access to part of site not available to everyone
and directory traversal of site or of proxy.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42990] - modrewrite do not decode hex econde uri
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42990
fiorenzi@tiscali.it changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42990] - modrewrite do not decode hex econde uri
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42990
slive@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From slive@apache.org 2007-07-30 10:25 -------
So, why exactly didn't you read/respond to the thread that you raised on
users@httpd.apache.org before filing this bug?
Anyway, the character '/' is in the RFC 2396 "reserved" set and is therefore not
equivalent to its hex encoding. Apache httpd ALWAYS responds with a 404 to
requests containing %2f unless AllowEncodedSlashes is set on. Therefore there is
no possibility to bypass rewriterules.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42990] - modrewrite do not decode hex econde uri
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42990
fiorenzi@tiscali.it changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org