DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42990>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42990 Summary: modrewrite do not decode hex econde uri Product: Apache httpd-2 Version: 2.0.54 Platform: All OS/Version: Linux Status: NEW Keywords: TestID, RFC Severity: major Priority: P2 Component: Other Modules AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] usind RewriteRule on proxy to match access to /cosole/ ofapplication server console and to catch xss attack and redirect them outside has a problem using on a virtual host this rewriterule: RewriteRule ^/console/(.*) http://www.mynewdomain.it/$1 [L,P] If I use on my browser http://www.mydomain.it/console/ it works If I use on my browser http://www.mydomain.it/%63%6f%6e%73%6f%6c%65%2f that is the hex format of "console/" it does not match and get an error like "The requested URL /console/ was not found on this server" using hex encoding I could potentially bypass Rewrite Engine rule, and bypass proxy pass rule with result of access to part of site not available to everyone and directory traversal of site or of proxy. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
