In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
ID: Category: Type: Reproducibility: Date Submitted: Last Update:
332 [In-Portal CMS] Security bug report always 2009-09-28 09:25 2010-01-11 22:05
Reporter: alex Platform:  
Assigned To: alex OS:  
Priority: normal OS Version:  
Status: closed Product Version: 5.0.1  
Product Build: Resolution: fixed  
 
ETA: none Fixed in Version: 5.0.2  
Reference:
Change Log Message:
Estimate Points: 0
Summary: 0000332: Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3
Description: Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3. For example on this url

/admin/index.php?env=-popups/editor:m0--1--s-2:form-1---t2&TargetField=form[1][Description]

Rule

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Reacts on that url "script" part not even searching for "<" or ">" and makes it Forbidden. That particular url is used to open FCKEditor on Description field during form editing.
Steps To Reproduce:
Additional Information:
Relationships
Attached Files:
Issue History
Date Modified Username Field Change
2010-01-11 22:05 Dmitry Note Added: 0001404
2010-01-11 22:05 Dmitry Status resolved => closed
2009-09-28 14:22 alex Fixed in Version => 5.0.2
2009-09-28 14:22 alex Note Added: 0000575
2009-09-28 14:22 alex Status needs feedback => resolved
2009-09-28 14:22 alex Resolution open => fixed
2009-09-28 14:22 alex Changeset attached 5.0.x r12628
2009-09-28 11:17 Dmitry Note Added: 0000571
2009-09-28 11:17 Dmitry Assigned To Dmitry => alex
2009-09-28 11:17 Dmitry Status needs work => needs feedback
2009-09-28 11:17 Dmitry Status needs feedback => needs work
2009-09-28 09:27 alex Note Added: 0000570
2009-09-28 09:27 alex Assigned To => Dmitry
2009-09-28 09:27 alex Status active => needs feedback
2009-09-28 09:25 alex Target Version => 5.0.2
2009-09-28 09:25 alex New Issue
2009-09-28 09:25 alex Patch Status => Not Used

Notes
(0000570)
alex   
2009-09-28 09:27   
Look into this. Valentin says, that there some differences between mod-rewrite processing rules between Apache 1.3 and 2.2, but he can't recall what they are exactly.

Without knowing the changes I can't write mod-rewrite rule, that will work for sure.
(0000571)
Dmitry   
2009-09-28 11:17   
This should work on Apache 1.3 (removed \ before < >)

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]


Can you please try this on your end on Apache 1.3 and 2.x?
(0000575)
alex   
2009-09-28 14:22   
Fix committed to 5.0.x branch. Commit Message:

Fixes 0000332: Some of new .htaccess protection rules actually gives Forbidden error on Apache 1.3
(0001404)
Dmitry   
2010-01-11 22:05   
Closing completed tasks.