[RndTbl] weird apache hit

Trevor Cordes trevor at tecnopolis.ca
Sun Feb 23 00:15:05 CST 2020

Doh.  I can also confirm that you can exploit this "flaw" to read any
file in /var/www/html and its subdirs even if other virthost <Location>
and <Directory> rules forbid it.  Further, php files get spit out
verbatim (as source) without execution.  However, you have to guess the
exact file paths/names. Luckily I had dirindexes turned off globally!

I guess the moral of the story is global docroot should never point to
anywhere that has real files when you use virthosts for everything.
However, once I change global docroot, I'll have to make sure every
global setting that applies to docroot and below will be duplicated in
the virthosts, as they may no longer apply to the subdirs... I'll have
to look into that.

Also, having all dir definitions outside of virthosts would have
helped.  I like to keep things nested though as it makes more sense to
me to have dirs inside the only virthosts they can be accessed by.

All this plus the explicit listens on only certain IPs has solved it.
Plus, I realized that newer apaches added support for adding "https" to
the end of a Listen to force that Listen line (port) to only talk
https and not allow it to pretend it's port 80.

More information about the Roundtable mailing list