❓ SYMPTOM Description: You will start to see Google Search console reporting some 403 Forbidden HTTP Error around 2023-March about your product-rewrite page, catalog-rewrite page or tags-rewrite pages and these rewrite pages are with "Space (0x20, %20)".
❓ And these URLs were just 100% OK before January 2023 and February 2023 and you did NOT touch any thing in mod_rewrite section in your htaccess or site-config at all.
Fact & Issue Analysis
✅ Fact 1: In fact, when you try to check access.log, it is 100% perfect with HTTP 200 OK for every time you check it.
✅ Fact 2: When you look at the apache2 error.log, you will see "AH10410: Rewritten query string contains control characters or spaces", and this is trigger by Apache2 HTTP mod_rewrite.
代碼:
[Tue Mar 16 10:44:05.479647 2023] [rewrite:error] [client 55.66.77.88:65176] AH10410: Rewritten query string contains control characters or spaces
✅ Fact 3: You did some Apache2 httpd upgrade (yum/dnf update or apt upgrade or something like this) around early of March 2023. In fact, though this CVE-2023-25690 is much like a mod_proxy patch, BUT HOWEVER, it did revise mod_rewrite & mod_rewrite_http2 as well.
✅ Analysis 4: Then, you look at this CVE patch in github or svn apache.org, you will see.
代碼:
Author: covener
Date: Sun Mar 5 20:28:43 2023 UTC
Changed paths: 7
Log Message:
Merge r1908095 from trunk:
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
+ "Rewritten query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
if (ACTION_STATUS == rulestatus) {
int n = r->status;
✅ Workaround 1: This is NOT an issue of your cgi app, nor your scripts issue(python, java, php, ruby) since you didn't touch them at all. This is Apache2 RewriteRule issue, JUST try to add an [B] flag in the end of your RewriteRule before [QSA]
For example, Try to revise your rewrite conf or .htaccess.
代碼:
# ❌ BEFORE (though it is 100% OK before 2023 Feb or Jan ...)
RewriteRule ^/product/(.*)/([0-9]*)$ /control/show_product.php?prod=$1&p=$2 [QSA]
# ✅ AFTER: Add a [B] flag in the rear of your rewrite rule, usually before [QSA]
RewriteRule ^/product/(.*)/([0-9]*)$ /control/show_product.php?prod=$1&p=$2 [B,QSA]
(Optional, Do an apache2 restart and)
then test again your "/product/good example product/" and this rewrite will become OK again!
(2023-03) AH10410-Rewritten query string contains control characters or spaces (403 error).jpg
USN-5942-1: Apache HTTP Server vulnerabilities
9 March 2023
Several security issues were fixed in Apache HTTP Server.
Releases
Ubuntu 22.10 Ubuntu 22.04 LTS Ubuntu 20.04 LTS Ubuntu 18.04 LTS
Packages
apache2 - Apache HTTP seraver
Details
Lars Krapf discovered that the Apache HTTP Server mod_proxy module
incorrectly handled certain configurations. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2023-25690)
Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server
mod_proxy_uwsgi module incorrectly handled certain special characters. A
remote attacker could possibly use this issue to perform an HTTP Request
Smuggling attack. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.0