Received: (qmail 49957 invoked by uid 501); 19 Sep 2001 03:44:07 -0000
Message-Id: <20010919034407.49956.qmail@apache.org>
Date: 19 Sep 2001 03:44:07 -0000
From: Aragon Gouveia <aragon@phat.za.net>
Reply-To: aragon@phat.za.net
To: submit@bugz.apache.org
Subject: RewriteRules do not match URL's that contain %2f
X-Send-Pr-Version: 3.110

>Number:         8360
>Category:       mod_rewrite
>Synopsis:       RewriteRules do not match URL's that contain %2f
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Sep 18 20:50:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     aragon@phat.za.net
>Release:        1.3.20
>Organization:
apache
>Environment:
FreeBSD root.nis.za 4.3-STABLE FreeBSD 4.3-STABLE #0: Mon Jul 16 14:57:55 SAST 2001     root@root.nis.za:/usr/src/sys/compile/ROOT  i386
>Description:
I'm trying to make a rewrite rule that matches any page requests from this latest code red type worm. An example request:

http://www.domain.com/scripts/..%2f../winnt/system32/cmd.exe

I'm using the following RewriteRule:

RewriteRule cmd\.exe http://www.microsoft.com [R]

When requesting the example URL apache reports a 404 Not found error. However, if you remove the %2f characters from the URL (or replace with something like %20) it matches and redirects to www.microsoft.com as expected.
>How-To-Repeat:
http://www.domain.com/scripts/..%2f../winnt/system32/cmd.exe
>Fix:
no :)
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]