https://issues.apache.org/bugzilla/show_bug.cgi?id=51482
Bug #: 51482
Summary: Issue with rewrite and mod_autoindex
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Core
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Hi there,
I've just experienced some pretty critical issues with a rewriting rule
allowing a user to list your local filesystem where the apache2 is running.
Create this simple vhost :
<VirtualHost *:80>
ServerName test.com
UseCanonicalName On
DocumentRoot /RDC/test.com
<Directory /RDC/test.com>
Options -Indexes +FollowSymLinks
AllowOverride None
</Directory>
RewriteEngine On
RewriteRule ^(.*) $1 [last]
RewriteLog /tmp/test.log
RewriteLogLevel 3
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"
t=%T" time
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" t=%T" f5_forwarder
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" is-forwarder
CustomLog /data/test.log time env=!is-forwarder
CustomLog /data/test.log f5_forwarder env=is-forwarder
ServerSignature Off
</VirtualHost>
Once this is done try to access http://test.com/etc/ . The mod_autoindex and
mod_dir must be loaded, and the DirectoryIndex must contain at least
index.html.
You should be able to list the content of the directory if the user who is
running has the legitimate right.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
