homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

Apache security flaw
Apache exposes and allows access to internal servers

 9:25 pm on Oct 6, 2011 (gmt 0)

Hi guys,

just a heads up that a new flaw that affects Apache, and likely other web servers, if certain reverse proxy and/or ModRewrite rules are in place allowing access to internal servers.

It's easy to fix so please take your time to look at your httpd.conf and/or .htaccess rules.

Full details at




 9:42 pm on Oct 6, 2011 (gmt 0)

There's a related issue when you use mod_rewrite for normal URL rewriting, especially when you use:

RewriteRule ^(some-pattern) $1/somestuff [L]

instead of:

RewriteRule ^(some-pattern) /$1/somestuff [L]

Here, the leading slash should always be included.


 7:54 pm on Oct 7, 2011 (gmt 0)

I'm very surprised that no one, other than yourself g1smd, has dived into this thread.

The majority of web sites, and probably almost every SEO'd site out, is potentially vulnerable to have their DB server and/or every other internal resource (such as router) leaving themselves vulnerable to the worst kind of abuse.

That abuse could be a simple re routing of a site's content (via routing tables at the router level), DNS poisoning for whole companies and subnets, customer data theft and a thousand other abuses.

The shame is that it is so simple to check if you are vulnerable and so easy to fix, with a simple addition of one character - a slash !


 8:06 pm on Oct 7, 2011 (gmt 0)

If you read a good few of the mod_rewrite tutorials published on "SEO websites" you'll soon realise that 99% of the "authors" don't actually understand any of this stuff, and seemingly merely parrot the worst tutorials and the same basic errors over and over again.

Yes, it's a simple flaw and an easy fix. Shame that it will be ignored by the vast majority of sites that need to check things out.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved