Apache, CVE-2023-25690 e Rewrite Rules...
Beccato baco di Apache, debian pubblica:
https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html
in cui inserisce la sibillina:
Unfortunately, fixing these security vulnerabilities may require
changes to configuration files. Some out-of-specification
RewriteRule directives that were previously silently accepted,
are now rejected with error AH10409. For instance, some RewriteRules
that included a back-reference and the flags "[L,NC]" will need to
be written with extra escaping flags such as "[B= ?,BNP,QSA]".
che o uno è un Guru delle Apache rewritre rule, o non ci capisce una sega.
Ad esempio "[L,NC]" vuol dire le rewrite rule che contengono 'L' e 'NC' o
esattamente quelle che contengono 'L,NC'?!
Una rewritre rule come:
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/webfinger https://%{SERVER_NAME}/index.php/.well-known/webfinger [R=301,L]
(nextcloud) è vulnerabile?!
Grazie...
--
If SMB was an animal it would go wolf and most people would have shot it
or put it down humanely. (Rod Boyce)
Reply to: