List Info

Thread: DO NOT REPLY New: - modrewrite do not decode hex econde uri
DO NOT REPLY New: - modrewrite do not decode hex econde uri
country flaguser name
United States		 2007-07-27 12:00:32 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42990

           Summary: modrewrite do not decode hex econde uri
           Product: Apache httpd-2
           Version: 2.0.54
          Platform: All
        OS/Version: Linux
            Status: NEW
          Keywords: TestID, RFC
          Severity: major
          Priority: P2
         Component: Other Modules
        AssignedTo: bugshttpd.apache.org
        ReportedBy: fiorenzitiscali.it


usind RewriteRule on proxy to match access to /cosole/ 
ofapplication server
console and to catch xss attack and redirect them outside
has a problem

using on a virtual host this rewriterule:

RewriteRule ^/console/(.*) 	http://www.mynewdomain.it/
$1 [L,P]


If I use on my browser http://www.mydomain.i
t/console/ it works
If I use on my browser http:
//www.mydomain.it/%63%6f%6e%73%6f%6c%65%2f that is
the hex format of "console/" it does not match and
get an error like "The
requested URL /console/ was not found on this server"

using hex encoding I could potentially bypass Rewrite Engine
rule, and bypass
proxy pass rule with result of access to part of site not
available to everyone
and directory traversal of site or of proxy.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: bugs-unsubscribehttpd.apache.org
For additional commands, e-mail: bugs-helphttpd.apache.org
DO NOT REPLY - modrewrite do not decode hex econde uri
country flaguser name
United States		 2007-07-30 12:25:32 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42990


sliveapache.org changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From sliveapache.org  2007-07-30
10:25 -------
So, why exactly didn't you read/respond to the thread that
you raised on
usershttpd.apache.org before filing this bug?

Anyway, the character '/' is in the RFC 2396
"reserved" set and is therefore not
equivalent to its hex encoding. Apache httpd ALWAYS responds
with a 404 to
requests containing %2f unless AllowEncodedSlashes is set
on. Therefore there is
no possibility to bypass rewriterules.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: bugs-unsubscribehttpd.apache.org
For additional commands, e-mail: bugs-helphttpd.apache.org
DO NOT REPLY - modrewrite do not decode hex econde uri
country flaguser name
United States		 2007-07-30 15:00:10 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42990


fiorenzitiscali.it changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: bugs-unsubscribehttpd.apache.org
For additional commands, e-mail: bugs-helphttpd.apache.org
DO NOT REPLY - modrewrite do not decode hex econde uri
country flaguser name
United States		 2007-07-30 15:02:09 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
990>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42990


fiorenzitiscali.it changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: bugs-unsubscribehttpd.apache.org
For additional commands, e-mail: bugs-helphttpd.apache.org
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )