Re: CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 10 Mar 2023, at 16:32, Eric Covener <covener@xxxxxxxxx> wrote:
> 
> On Fri, Mar 10, 2023 at 8:56 AM Thomas Åkesson
> <thomas.akesson@xxxxxxxxxxxx> wrote:
>> 
>> Hi,
>> 
>> We are experiencing the effect that a RewriteRule resulting in R (redirect) are blocked (403) with AH10410 despite being encoded before 2.4.56 (the resulting Location header was ok). Is this change intentional?
>> 
>> Example:
>> RewriteRule             ^/here/([^/]+)(/.*)$    http://example.com:8080/elsewhere/?base=$1&target=$2 [R,QSA,L]
>> 
>> We are evaluating this workaround:
>> [R,B,BNP,NE,QSA,L]
>> 
>> This results in encoded slashes which is not necessary. Any ideas how to achieve the previous result?

Also found that many additional characters are encoded that were not encoded before 2.4.56 (parentheses, period, ...). The primary concern is loss of URL readability.

> You can limit the characters B will escape.  I assume spaces in the
> URL are the original problem?

Yes, they are the problem that we have seen. I am not sure if the "control characters" mentioned would ever appear in normal use. 

> Try e.g. [R,B= ?,...]
> 
> The question mark is to avoid the issue of not being able to have " "
> as the final character in this syntax.

Thanks for the suggestion. I am unable to make 2.4.52 (Ubuntu) accept space for the B-flag. I have tried first, middle, last, only flag but always getting "RewriteRule: bad flag delimiters".

I am also having concerns whether this would work (unable to test at this time). 
 - The spaces would likely be double-encoded unless adding NE
 - Adding NE would suppress encoding of all other characters that should be encoded in the query string



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux