Issues

ZF-6411: Provided .htaccess Rewrite Rules Result In Vulnerability

Issue Type: Docs: Problem Created: 2009-04-24T08:40:45.000+0000 Last Updated: 2009-04-26T18:45:55.000+0000 Status: Resolved Fix version(s): - 1.8.0 (30/Apr/09)

Reporter: Patrick Wilson (uncultured) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller

Related issues: Attachments:

Description

http://framework.zend.com/manual/en/…

Section 12.1.2.3. Create the Rewrite Rules

RewriteEngine On RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.$ - [NC,L] RewriteRule ^.$ index.php [NC,L]

The preceding rewrite rules work as intended, however if other code is in the publicly accessible directory along with the index.php bootstrap file, an attacker with precise knowledge of a full file path can access said file directly, bypassing the single point of entry.

Ideally, a production setup would have all library and application code outside of the webroot, but I've seen rewrite rules that effectively prevent this particular form of attack. Since I imagine the majority of users will be using Apache, I'd think it best to provide the safest rewrite rules possible in the documentation.

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2009-04-24T09:08:01.000+0000

Part of the reason we went with this particular rewrite rule was because developers were discovering that as they added new filetypes to their document root, they were unable to access them without updating the rewrite rules. This became especially problematic once we added Dojo and jQuery support, which introduced a number of additional filetypes we had not previously accounted for.

Additionally, the best practice we have always advised is to keep non-public files outside of the document root.

My inclination is to simply provide a note in the documentation with a warning about potential abuses of this rule, but to leave it as is.

Posted by Patrick Wilson (uncultured) on 2009-04-24T09:46:20.000+0000

I think that's a fair compromise. Cheers for the prompt and thoughtful response!

Posted by Matthew Weier O'Phinney (matthew) on 2009-04-26T18:22:22.000+0000

Notes added to Zend_Application and Zend_Controller quick start docs in both trunk and 1.8 release branch.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts