CVE-2024-39573: httpd mod_rewrite becomes to add root prefix(/)
Issue
- CVE-2024-39573: httpd mod_rewrite becomes to add root prefix(/). The change might affect some RewriteRule configurations.
Sample configuration of /etc/httpd/conf/httpd.conf:
LogLevel rewrite:trace8
RewriteEngine On
RewriteRule ^/(.+) foo/$1
When a client request a HTTP GET as the following,
$ curl http://www.example.com/index.html
httpd-2.4.37-65.module+el8.10.0+22069+b47f5c72.1.x86_64(CVE-2024-39573) adds root prefix(/).
$ tail -f /var/log/httpd/error_log | cut -b 201-1000
init rewrite engine with requested uri /index.html
applying pattern '^/(.+)' to uri '/index.html'
rewrite '/index.html' -> 'foo/index.html'
add root prefix: foo/index.html -> /foo/index.html
setting lastsub to rule with output foo/$1
local path result: /foo/index.html
prefixed with document_root to /var/www/html/foo/index.html
go-ahead with /var/www/html/foo/index.html [OK]
httpd-2.4.37-64.module+el8.10.0+21332+dfb1b40e.x86_64 doesn't do that.
$ tail -f /var/log/httpd/error_log | cut -b 204-1000
init rewrite engine with requested uri /index.html
applying pattern '^/(.+)' to uri '/index.html'
rewrite '/index.html' -> 'foo/index.html'
local path result: foo/index.html
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- httpd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
