Mod-rewrite security risk


Dormant account
Mar 4, 2004
South Africa
Hi everyone

Saw a thread post from shoemoney today. I do not use PHP so this is purely aimed at people making use of apache hosting should read this as upgrading your servers is a of a high priority in my view.

You do not have permission to view link Log in or register now.

Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
  • The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
  • The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).