Score:0

Server

Apache 404 fails with /boot.ini%2500.htm

Antony

1/24/23, 8:13 AM

For some reason the following htaccess will redirect to a 404 page if the tested url is /boot.ini.htm but not if it is /boot.ini%2500.htm.

What do I need to change to make this work or is this a bug?

Options All -Indexes
Options +FollowSymlinks

ErrorDocument 403 /site/404
ErrorDocument 404 /site/404

RewriteEngine On

RewriteRule ^(fonts)($|/) - [L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([\s\S]*)$ index.php/$1 [L,NC,QSA]

# Ensure Authorization header is passed along
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

ServerSignature Off

php_value memory_limit 256M

My server is:

Server version: Apache/2.4.41 (Ubuntu)

Server built: 2021-06-17T18:27:53

0 + 0

.htaccess

apache-2.4

MrWhite

1/24/23, 10:27 AM

"change to make this work" - what is the desired result? Does `/boot.ini.htm` exist as a physical file? Does `/boot.ini%00.htm` exist (ie. `/boot.ini%2500.htm` URL decoded)? What is the response when you request `/boot.ini%2500.htm`? There's nothing in your `.htaccess` file that would specifically target these requests. BTW, your directives are in the wrong order... the last rule regarding `Authorization` should go before the preceding (front-controller) rule (although this has nothing to do with your current issue).

Antony

1/24/23, 10:53 AM

Thanks - sorry if I wasn't clear. I'd just like it to redirect to the 404 page. No - neither boot.ini.htm nor boot.ini%00.htm exist. As such I would have suspected the ErrorDocument 404 would have done so.

MrWhite

1/24/23, 11:06 AM

So, what response (and HTTP status) do you actually get when you request `/boot.ini%2500.htm`? A potential issue with your custom 404 `ErrorDocument` is that you seemingly pass the 404 request through your PHP framework (assuming MultiViews is not enabled and `/site/404.php` does not exist?) - so whatever response you are seeing may also be dependent on your framework.

MrWhite

1/24/23, 11:08 AM

What about a request for `/something%2500else`? is the response the same?

Antony

1/24/23, 11:12 AM

Yes I do see the Codeigniter icon in the tab name so I guess it is filtering through but without the %2500 CI does handle it correctly.

Antony

1/24/23, 11:20 AM

Your example of /something%2500else also results in a 404 page but with the CI favicon suggesting it might be passed through

MrWhite

1/24/23, 11:23 AM

The favicon (in the tab) is persistently cached by the browser - so seeing that doesn't necessarily mean anything. What is the actual response you see in the browser - is it a server/Apache generated response? A default error response? Blank page? What is the HTTP status code of the response (check the network tab in the browser dev tools)... is it a 404, 200, 406, ??? The response might be from a mod_security rule or something?

MrWhite

1/24/23, 11:24 AM

"`/something%2500else` also results in a 404 page" - is that the same as `/boot.ini%2500.htm` or different? Try also `/something%2500.htm`.

Antony

1/24/23, 11:33 AM

In all (including the latest /something%2500.htm) instances I am seeing the default Apache 404 response with title "404 not found" and `Not Found: The requested URL was not found on this server.` as the body

MrWhite

1/24/23, 11:53 AM

Do you have access to the server config?

Antony

1/24/23, 1:05 PM

Yep server is fully mine

MrWhite

1/24/23, 4:06 PM

In that case, what is the server/vHost config? What modules do you have loaded? mod_security rules? Firewall? (Aside: If this is your server then why are you doing so much in `.htaccess`?)

Score:0

Server

MrWhite

1/24/23, 11:53 AM

In all instances I am seeing the default Apache 404 response

In that case the request is certainly not being processed by Codeigniter. It looks like the 404 is being triggered by the Apache server, before .htaccess is even processed. This is quite likely triggered by something like mod_security (there might be some clue in the HTTP response headers).

URLs that contain % can potentially pose a security threat. So it wouldn't necessarily be that unusual to have a blanket rule on the server that simply blocks these requests. Unless you have access to the server config in some form then it's unlikely you can do anything to influence this.

But it is already returning a 404. And a 404 is a 404 after all, so it's not going to make any difference to bots. And real users should never be making such requests anyway.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Apache 404 fails with /boot.ini%2500.htm

TH: Apache 404 ล้มเหลวด้วย /boot.ini%2500.htm

RO: Apache 404 eșuează cu /boot.ini%2500.htm

RU: Ошибка Apache 404 с /boot.ini%2500.htm

VI: Apache 404 không thành công với /boot.ini%2500.htm

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.