[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Apache, CVE-2023-25690 e Rewrite Rules...



Beccato baco di Apache, debian pubblica:

	https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html

in cui inserisce la sibillina:

 Unfortunately, fixing these security vulnerabilities may require
 changes to configuration files. Some out-of-specification
 RewriteRule directives that were previously silently accepted,
 are now rejected with error AH10409. For instance, some RewriteRules
 that included a back-reference and the flags "[L,NC]" will need to
 be written with extra escaping flags such as "[B= ?,BNP,QSA]".

che o uno è un Guru delle Apache rewritre rule, o non ci capisce una sega.

Ad esempio "[L,NC]" vuol dire le rewrite rule che contengono 'L' e 'NC' o
esattamente quelle che contengono 'L,NC'?!

Una rewritre rule come:

	RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
	RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
	RewriteRule ^/\.well-known/webfinger https://%{SERVER_NAME}/index.php/.well-known/webfinger [R=301,L]

(nextcloud) è vulnerabile?!


Grazie...

-- 
  If SMB was an animal it would go wolf and most people would have shot it
  or put it down humanely.				(Rod Boyce)



Reply to: