[HECnet] Security hole in CSWS

Sampsa Laine sampsa at mac.com
Tue Sep 22 20:34:54 PDT 2009 

It appears that
	
	RewriteRule (;[0-9]*\?)|(;[0-9]*$) [R]

works as well.

The VMS Apache guys know about this and are working on it as we speak, but I would suggest letting any clients etc know about this before the formal advisory goes out as I should think this will hit the automated testing tools such as Nessus pretty soon after that.

Sampsa

On 22 Sep 2009, at 20:27, Pontus wrote:

Hi

I'm not going to pretend I know mod_rewrite, but I spent some time with
the docs and thought you could use the grouping info to replace with
what you matched:

(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1

(I wrote two rules as I'm uncertain how the | binds)

Alternatively this passage from the docs might provide an alternative
solution:

<snip>

Additionally you can set special flags for Substitution by appending

    [flags]

as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:

<...>

- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.

</snip>

Then you could at least avoid people reading the source.

/Pontus.

Sampsa Laine wrote:
Dennis,

I've got the rule down to:

    RewriteRule (;[0-9]*\?)|(;[0-9]*$) /

but this is not ideal, as I don't really want to replace the ; with a
/, just drop it but can't figure out the syntax for "replace with
nothing".

Any ideas?

Sampsa

On 21 Sep 2009, at 22:12, Dennis Boone wrote:

Yes, I have reported it to VMS engineering in India about an hour ago
(well I assume in India, the guys had subcontinent accents) and they
said they'd get back to me.

In the meantime, if CSWS has mod_rewrite, you might be able to produce a
temporary fix in the form of a rewrite rule that rips the ;* off the
end[1]
of .php urls.

[1] Well, ok, might be the middle too, if it's a GET with parameters,
but that's just a slightly more involved pattern.

De

More information about the Hecnet-list mailing list