On Dec 13, 2007 7:31 PM, Samuel Vogel <samy-delux@xxxxxx> wrote:
> Hey guys,
>
> I just noticed a really bad security problem on my servers!
> The following RewriteRule exposes my system directories like /etc and
> /var etc. :
>
> RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
> RewriteRule (.*) /%2/$1 [L]
>
> I do not understand why thou. Maybe this is not the real origin of the
> problem, but when I disable those lines, the system directories are not
> accessible anymore.
> The rewriting is supposed to rewrite sub.user.domain.de to
> user.domain.de/sub. Which works, but if you put "etc" in place of "sub",
> it goes to "/etc/" and not to "/my/docroot/user/ect/".
The rule you show us above will rewrite
sub.user.domain.de/foo to /sub/foo,
sub.user.domain.de/ to /sub. Is this what you want? all your
subdomains live in the root?
I suppose what you want is:
RewriteCond %{HTTP_HOST} !^www\.user\.domain\.de
RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.user\.domain\.de
RewriteRule (.*) /my/doc/root/%2/$1 [L]
> Why is that the case? And how can I prevent this?
Firstly, if you want to know what is going on in your rewrite rules
turn on rewrite logging. It will tell you a bundle, and will give us
something to look at if you can't figure it out yourself.
Secondly, you should have the following in your httpd.conf:
<Directory />
Order Deny,Allow
Deny from all
</Directory>
This turns of access to your entire filesystem by default, which
protects you against accidentally showing stuff to the world. You can
then selectively make parts of your file system available again:
<Directory /my/doc/root>
Order Deny,Allow
Allow from all
</Directory>
Krist
--
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|