ZF-6411: Provided .htaccess Rewrite Rules Result In Vulnerability


Section Create the Rewrite Rules

RewriteEngine On RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.$ - [NC,L] RewriteRule ^.$ index.php [NC,L]

The preceding rewrite rules work as intended, however if other code is in the publicly accessible directory along with the index.php bootstrap file, an attacker with precise knowledge of a full file path can access said file directly, bypassing the single point of entry.

Ideally, a production setup would have all library and application code outside of the webroot, but I've seen rewrite rules that effectively prevent this particular form of attack. Since I imagine the majority of users will be using Apache, I'd think it best to provide the safest rewrite rules possible in the documentation.


Part of the reason we went with this particular rewrite rule was because developers were discovering that as they added new filetypes to their document root, they were unable to access them without updating the rewrite rules. This became especially problematic once we added Dojo and jQuery support, which introduced a number of additional filetypes we had not previously accounted for.

Additionally, the best practice we have always advised is to keep non-public files outside of the document root.

My inclination is to simply provide a note in the documentation with a warning about potential abuses of this rule, but to leave it as is.

I think that's a fair compromise. Cheers for the prompt and thoughtful response!

Notes added to Zend_Application and Zend_Controller quick start docs in both trunk and 1.8 release branch.