Sharley wrote:jchelpdeskwv wrote:As a workaround, an extra slash can be added to the rewrite rule.
If using the mod_rewrite rule and it affects you or any other reader then use this workaround until the developer makes a decision ( the developer has been made aware of this issue and your post ).
The security hole comes only if you
a) have a rewrite rule (mod_rewrite must be activated) with...
b) ...a proxy pass (mod_proxy must be activated) to a hidden not public server mostly in your Intranet area.
For example: The publicly visible address 'other.example.com' gets all images over the internal image server 'images.example.com'.
RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2Full details from this article and for sound advise re. reviewing any existing rewrite rules:
http://www.apachelounge.com/viewtopic.php?p=19415Seems most people can fix the problem by themselves in the Apache configuration with a beginning Slash in the RewriteRule as I pointed out already.
For example:
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]Or even better, do not configure Apache for a URL rewrite with an Apache proxy pass to connect an insecure Intranet server behind your firewall.
Perhaps you will be able yo do this with the coming final Apache 2.2.22 version. Perhaps ...
I think that most Apache servers do not have a redirect with a proxy pass to a 'hidden Intranet' server like the image server in the example above. So this leak could be a very limited problem.
Implementing a new XAMPP version with patches is no quick and easy operation, so when the next Apache release goes final it will induce a new XAMPP release when time permits.