Apache hacking

Filed in: web Add comments

When trying to help our engineers to configure Apache 2.2 I found out to my complete astonishment, that Apache doesn’t allow negation of environment, e.g. to perform some action in context of mod_authz_host allow/deny when some environment variable DOESN’T exist, thus the directive below has no effect:

Deny from env=!HAS_SOMEVAR

I opened a bug with a patch, which was accepted, and lately it was backported to 2.2 branch, therefore it will appear in the next version (2.2.10).

Other shortcoming that I’ve found, that it’s impossible to unset a cookie while using mod_rewrite, but checking the code revealed, that the value for the cookie isn’t checked, therefore it’s possible to inject arbitrary string there, and this is exactly what I did:

RewriteRule ^/$ http://myhost.domain/url [CO=JSESSIONID:;comment=Reset:.myhost.domain:0:/,L]

Notice the trick – the value for cookie is “;comment=Reset” and validity period of 0 minutes making the Set-Cookie header look like this:

Set-Cookie: JSESSIONID=;comment=Reset; path=/; domain=.myhost.domain;
  expires=Sun, 27-Jul-2008 12:00:08 GMT

Leave a Reply