Hi,
I probably have overlooked something, but while QAing our Apache (2.2.12 based)
updates it seems CVE-2011-3368 is not fully fixed by the patch referenced.
With the RewriteRule within the <VirtualHost *:80> section,
RewriteEngine on
RewriteRule (.*)\.(ico|jpg|gif|png) http://leo.suse.de$1.$2 [P]
$ telnet teshost 80
GET @www.suse.de/foo.png
...gives me the 404 page of www.suse.de, which is not intended....
I get in the error log:
[Tue Oct 25 14:10:50 2011] [error] [client 10.10.0.233] invalid request-URI
@www.suse.de/foo.png
and in access.log
10.10.0.233 - - [25/Oct/2011:14:10:50 +0200] "GET @www.suse.de/foo.png" 404
16006 "-" "-"
which seems to me like it is half working.
The error.log has the invalid request-URI message from the patched part
of the code, but the 404 is from www.suse.de/foo.png.
=> I think the 0.9 protocol method is not falling out of the uri handling
correctly.
It seems on reading ap_read_request() the 0.9 "assbackwards" case handling
does not error out on r->status set but proceeds and sets r->status to HTTP_OK
and
goes on.
Any ideas? Am I doing stuff wrong?
Ciao, Marcus
