Hey guys, I just noticed a really bad security problem on my servers!The following RewriteRule exposes my system directories like /etc and /var etc. :
RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
RewriteRule (.*) /%2/$1 [L]
I do not understand why thou. Maybe this is not the real origin of the
problem, but when I disable those lines, the system directories are not
accessible anymore.
The rewriting is supposed to rewrite sub.user.domain.de to
user.domain.de/sub. Which works, but if you put "etc" in place of "sub",
it goes to "/etc/" and not to "/my/docroot/user/ect/".
Why is that the case? And how can I prevent this? Regards, Samy --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|