[Bug 69197] New: Fix for CVE-2024-39573 also blocks %3f in appended query strings

Mon, 15 Jul 2024 07:52:31 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69197

            Bug ID: 69197
           Summary: Fix for CVE-2024-39573 also blocks %3f in appended
                    query strings
           Product: Apache httpd-2
           Version: 2.4.60
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Overview:

The SSRF fix in mod_rewrite introduced in r1918561 produces a "403 Forbidden"
response not only when an encoded question mark is introduced through a
backreference but also when an existing query string appended via the QSA flag
contains %3F.


Steps to Reproduce:

1) Prepare a webroot with an index.html file.

2) Setup a vhost with the following rewrite rules
   (or add them to a .htaccess file):

  RewriteEngine On
  RewriteRule ^.*$ index.html?_path=$1 [L,QSA]

3) Access /test?url=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar in a web browser


Actual Results:

The HTTP server produces a "403 Forbidden" response.

Only when the the flag UnsafeAllow3F is added to the RewriteRule the results
are as expected.


Expected Results:

The URL should have been rewritten to /index.html?_path=%2Ftest&foo=bar and the
contents of index.html should have been delivered to the web browser.


Additional Information:

Rewrite rules similar to the one used in step 2 above are common in htaccess
files delivered with PHP applications. To e.g. prevent issues with mod_cache,
the original path is passed to the target script via the query string and all
query string parameters from the original URL are appended via QSA flag.

This issue affects all URLs for these applications which contain a %3F
somewhere in the query string. This commonly happens e.g. for search forms (the
user may enter a question mark as part of the search query) and for scripts
that send an URL in a query string (for example
?referer=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to