Re: [cobalt-users] Disable ReWrite engine

["Brian Curtis" <admin@xxxxxxxxxxx>]

> Has anyone disbabled the rewrite engine in the httpd.conf file for the
> virtual sites on a RaQ3?  Will this mess up something?
> I tried looking at this lists archives but for some reason I'm getting a
> forbidden error message when trying to look at the page.
>
> Sincerely,
> Robyn LeGris
> http://1-choice.com

I would think that disabling mod_rewrite might break a few things since
Cobalt makes extensive use of rewrites.  However, I am by no means an expert
on mod_rewrite, so I will leave a definite answer to one of the more
knowledgeable people on this list.

On another note, has anyone seen the following security issue regarding
mod_rewrite and comment on the effects it might have on a Cobalt piece of
hardware?

>>>>
Security vulnerability in mod_rewrite:

The Apache development list this week contains a fix for a security issue
that affects previous versions of Apache, including Apache 1.3.12. Apache is
only vulnerable if you use mod_rewrite and a specific case of the directive
RewriteRule. If the result of a RewriteRule is a filename that contains
regular expression references then an attacker may be able to access any
file on the web server.
Here are some example RewriteRule directives. The first is vulnerable, but
the others are not

RewriteRule    /test/(.*)        /usr/local/data/test-stuff/$1
RewriteRule    /more-icons/(.*)  /icons/$1
RewriteRule    /go/(.*)          http://www.apacheweek.com/$1

The patch is currently being tested and will be part of the release of
Apache 1.3.13. Until then, users should check their configuration files and
not use rules that map to a filename such as the first example above.
<<<<

The information is a bit vague, so I can't see how rule #1 & #2 above differ
from each other (besides the obvious path differences).

Maybe we'll see an upgrade to Apache 1.3.13 on Cobalt appliances?  Although
the security issues of Apache 1.3.9 seem to have been ignored by Cobalt...

--
Brian Curtis