In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Simple Details Jump to Notes ] Wiki ] View Advanced ] Issue History ] Print ]
ID Category Type Reproducibility Date Submitted Last Update
0000332 [In-Portal CMS] Security bug report always 2009-09-28 09:25 2010-01-11 22:05
Reporter alex View Status public Project Name In-Portal CMS
Assigned To alex Developer
Priority normal Resolution fixed Fixed in Version 5.0.2
Status closed Product Version 5.0.1 Target Version 5.0.2
Time EstimateNo estimate
Summary 0000332: Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3
Description Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3. For example on this url

/admin/index.php?env=-popups/editor:m0--1--s-2:form-1---t2&TargetField=form[1][Description]

Rule

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Reacts on that url "script" part not even searching for "<" or ">" and makes it Forbidden. That particular url is used to open FCKEditor on Description field during form editing.
Additional Information
Tags No tags attached.
Reference
Change Log Message
Estimate Points 0
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0000570)
alex (manager)
2009-09-28 09:27

Look into this. Valentin says, that there some differences between mod-rewrite processing rules between Apache 1.3 and 2.2, but he can't recall what they are exactly.

Without knowing the changes I can't write mod-rewrite rule, that will work for sure.
User avatar (0000571)
Dmitry (manager)
2009-09-28 11:17

This should work on Apache 1.3 (removed \ before < >)

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]


Can you please try this on your end on Apache 1.3 and 2.x?
User avatar (0000575)
alex (manager)
2009-09-28 14:22

Fix committed to 5.0.x branch. Commit Message:

Fixes 0000332: Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3
User avatar (0001404)
Dmitry (manager)
2010-01-11 22:05

Closing completed tasks.

- Related Changesets
In-Portal CMS: 5.0.x r12628
Timestamp: 2009-09-28 14:22:19
Author: alex
Details ] Diff ]
Fixes 0000332: Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3
mod - /in-portal/branches/5.0.x/tools/.htaccess Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-01-11 22:05 Dmitry Note Added: 0001404
2010-01-11 22:05 Dmitry Status resolved => closed
2009-09-28 14:22 alex Fixed in Version => 5.0.2
2009-09-28 14:22 alex Note Added: 0000575
2009-09-28 14:22 alex Status needs feedback => resolved
2009-09-28 14:22 alex Resolution open => fixed
2009-09-28 14:22 alex Changeset attached 5.0.x r12628
2009-09-28 11:17 Dmitry Note Added: 0000571
2009-09-28 11:17 Dmitry Assigned To Dmitry => alex
2009-09-28 11:17 Dmitry Status needs work => needs feedback
2009-09-28 11:17 Dmitry Status needs feedback => needs work
2009-09-28 09:27 alex Note Added: 0000570
2009-09-28 09:27 alex Assigned To => Dmitry
2009-09-28 09:27 alex Status active => needs feedback
2009-09-28 09:25 alex Target Version => 5.0.2
2009-09-28 09:25 alex New Issue
2009-09-28 09:25 alex Patch Status => Not Used



Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker