Hi,
Here's an example on how to reproduce the issue
We have a folder "modules/" with the following .htaccess content:
##################
RewriteEngine on
# Module only
RewriteRule ^([-a-zA-Z0-9_]+)/?$ %/modules/index.php?module=$1&%{QUERY_STRING}
[NC,L]
##################
Accessing the URL:
myapp.local/modules/test_rewrite/?url=mysite.net%3fsearch=question%3f
results in a 403 Forbidden error and generates a log entry:
2025-04-03 12:12:44 [Thu Apr 03 10:12:44.688826 2025] [rewrite:error] [pid
828:tid 847] [client 172.18.0.6:57350] AH10508: Unsafe URL with %3f URL
rewritten without UnsafeAllow3F
2025-04-03 12:12:44 172.18.0.6 - - [03/Apr/2025:10:12:44 +0000] "GET
/modules/test_rewrite/?url=mysite.net%3fsearch=question%3f HTTP/1.1" 403 199
Version used in the container:
$apachectl -V
Server version: Apache/2.4.62 (Unix)
Server built: Nov 12 2024 02:03:18
Server's Module Magic Number: 20120211:134
Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 8.39 2016-06-14
Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 8.39 2016-06-14
Hope it helps
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2103723
Title:
Fix for CVE-2024-38474 also blocks %3f in appended query strings
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2103723/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
