RewriteRule exposing system directories

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey guys,

I just noticed a really bad security problem on my servers!
The following RewriteRule exposes my system directories like /etc and /var etc. :

RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
RewriteRule (.*) /%2/$1 [L]

I do not understand why thou. Maybe this is not the real origin of the problem, but when I disable those lines, the system directories are not accessible anymore. The rewriting is supposed to rewrite sub.user.domain.de to user.domain.de/sub. Which works, but if you put "etc" in place of "sub", it goes to "/etc/" and not to "/my/docroot/user/ect/".

Why is that the case? And how can I prevent this?

Regards,
Samy

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux