Apache Mod ReWrite Rules Bypassing Image Linking Vulnerability

Apache is a freely available, widely used web server distributed and maintained by the Apache Server Project.

It is possible to bypass mod_rewrite rules if the rules are constructed in a certain way, such as:

RewriteCond %{HTTP_REFERER} !^http://www\.yoursite\.com.*$
RewriteRule ^/images/.* - [G]

This does not filter requests for the //images directory, and could allow a remote site to link images, resulting in increased hosting costs, and potentially a denial of service.


Privacy Statement
Copyright 2010, SecurityFocus