Why does this htaccess regex fail with 3 or more periods?

Question

Why does this RegEx fail?

The goal is to rewrite:

http://example.com/Almost-Anything-Here/381 --> /lv.php?id=381&%{QUERY_STRING}

Note that I am ignoring the text in the URL and just trying to get the number (in this example, 381), which I pass to lv.php.

Here is the rule:

RewriteRule ^[/]?[A-Za-z0-9\-_(\.)*]+/([0-9]+)$ /lv.php?id=$1&%{QUERY_STRING} [L]

It works if there are 0, 1 or 2 periods but fails (with an HTTP 500) for 3 or more periods. Why?! I tried a few ways of escaping/capturing the period in the regex but no luck.

Example Test URLs:

works: http://example.com/Great/381
works: http://example.com/Great./381
works: http://example.com/Great../381
fails: http://example.com/Great.../381

UPDATE Here is the error msg from the server log, clearly a regex problem, still not sure why...

Access denied with code 500. Pattern match "\\\\.\\\\.\\\\./" at REQUEST_URI. [msg "Bogus Path denied"] [hostname "www.example.com"] [uri "/Great.../381"]

Not sure if it helps, but I don't think you have to escape the dot `\.` in the character class. — The fourth bird, May 20 '18 at 12:18
no problem using `xampp`, do you have `RewriteBase /` in your htaccess — ewwink, May 20 '18 at 13:04
@ewwink thanks for the idea; I added that, no change unfortunately. The error in the log seems to imply that it is in some kind of recursive loop but I am not sure what or how. — Eric, May 20 '18 at 14:35
What if you use `RewriteRule ^.*/([0-9]+)/?$ /lv.php?id=$1 [QSA,L]` instead? — revo, May 20 '18 at 14:45
Instead of using a complax regex pattern can't you just use `^.+/([0-9]+)$` ? — Amit Verma, May 20 '18 at 14:47
@starkeen great idea, thank you... but still fails with 3 periods! what do you make of the error message in the server log? I think that is the clue to solve this, though I don't know exactly why. — Eric, May 20 '18 at 15:55

score 2 · Accepted Answer · answered May 21 '18 at 04:23

2

I am pretty sure your Apache web server has ModSecurity installed and contains a security configuration like this:

#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"

There are some ways to turn it off, but usually, mod_security is implemented for a reason.

answered May 21 '18 at 04:23

wp78de

18,207
7
43
71

As far as I can tell, this was one of the default rules in ModSecurity 2.x. However, I could not find it in the rules for 3.x - but maybe I was looking at the wrong spot. – wp78de May 21 '18 at 05:57
Thank you for this reply, looks very likely that this is the culprit! This begs the question, why is that rule in mod_security and do I need to keep it there? Can I just kill it from the mod_security config? – Eric May 21 '18 at 09:03
1

@Eric I cannot give a definitive answer here but arguably the SecRule is more a sanity check than a real security protection. It might be worth to ask on webmasters.stackexchange.com or security.stackexchange.com – wp78de May 21 '18 at 16:28
1

@Eric Arguably, this rule should be removed if it gets in your way. I found here an incident where this rule blocked vbulletion users: https://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/366277-modsec2-blocking-vbulletin-suite and here is a description of the rule and it's rationale: https://wiki.atomicorp.com/wiki/index.php/WAF_340008 `There is no such valid path in any operating system` – wp78de May 21 '18 at 23:25
Thank you for your help and research! Accepted your answer as best. Appreciate it very much. – Eric May 28 '18 at 10:24
I'm sorry, but I had to chuckle when I saw that rule: "Let's by all means preserve the possibility of directory traversal attacks but we need to block access to paths that can't exist and therefore couldn't harm us if we let them pass!" – Arlen Jul 12 '19 at 15:35

Why does this htaccess regex fail with 3 or more periods?

1 Answers1