{"id":6052,"date":"2024-07-20T15:25:23","date_gmt":"2024-07-20T13:25:23","guid":{"rendered":"https:\/\/launix.de\/launix\/?p=6052"},"modified":"2024-08-15T12:09:56","modified_gmt":"2024-08-15T10:09:56","slug":"broken-websites-after-apache-update-unsafeallow3f-a-game-you-cannot-win","status":"publish","type":"post","link":"https:\/\/launix.de\/launix\/en\/broken-websites-after-apache-update-unsafeallow3f-a-game-you-cannot-win\/","title":{"rendered":"Broken Websites after Apache Update: UnsafeAllow3F – A game you cannot win"},"content":{"rendered":"\n

Since July 9 2024, Apache 2.4.60 has been released and brings a security update which solves CVE-2024-38474 but apperantly breaks a lot of web pages, including software that is written with TYPO3 framework.<\/p>\n\n\n\n\n\n\n\n

The update however is a disaster. And I will explain why:<\/p>\n\n\n\n

The patch in apache will throw a 403 Forbidden<\/strong> for every rewritten URL that contains %3F encoded in a URL. The reason for that is that attackers could smuggle in “?” queries and trick some CGI scripts to access files the user shouldn’t have permission to. For more info, read https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-38474<\/a><\/p>\n\n\n\n

To further allow intended use, e.g. in back-URLs (e.g. returnto= in TYPO3), Apache added the UnsafeAllow3F option in your .htaccess rules. And there lies the problem: Before Apache 2.4.60, the option was unknown and led to a 500 Internal Server Error<\/strong>.<\/p>\n\n\n\n

Here’s an overview schema of the dilemma:<\/p>\n\n\n\n

<\/td>Apache 2.4.59 or older<\/strong><\/td>Apache 2.4.60 or newer<\/strong><\/td><\/tr>
Hacker attack with %3F<\/td>vulnerable<\/td>fixed<\/td><\/tr>
Intended use of %3F<\/td>works<\/td>403 Forbidden<\/td><\/tr>
Use option UnsafeAllow3F<\/td>500 Internal Server Error<\/td>works<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Since you cannot write conditional .htaccess files, it is currently not possible to write software that both works on Apache 2.4.59 and<\/em> 2.4.60.<\/p>\n\n\n\n

So what is this? Why does Apache forbid a certain letter in the alphabet to fix vulnerable scripts??<\/p>\n\n\n\n

This reminds me of Magic Quotes<\/a><\/strong> from 1997. Magic Quotes is a deprecated PHP extension that tried to fix SQL Injections in vulnerable PHP scripts by quoting all input strings. This led to the problem that you weren’t allowed to encode certain strings into your input any more. And on top of it, this didn’t solve the issue as well since new SQL injection techniques arose that evaded this security mechanism.<\/p>\n\n\n\n

Here’s an example:<\/p>\n\n\n\n

<?php\n$db->query(\"SELECT * FROM users WHERE username = '\" . $_GET['username'] . \"'\"); \/\/ do not try this at home<\/code><\/pre>\n\n\n\n
The way a SQL injection works is to put something like ' OR TRUE --<\/code> into $_GET['username']<\/code> and this way, the string coming from user input will be ended by '<\/code> and the attacker is able to inject SQL code.<\/p>\n\n\n\n
Magic Quotes tried to solve this by replacing all '<\/code> by \\'<\/code> which solved the problem in some cases but at the same time broke existing programs and introduced additional vulnerabilities.<\/p>\n\n\n\n
Magic Quotes were officially deprecated as of PHP 5.3.0 and removed in PHP 5.4, due to security concerns. It is the perfect example of a software that tries to solve a problem that can only be fixed by the user. Why does Apache repeat this design mistake 27 years later?<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
Since July 9 2024, Apache 2.4.60 has been released and brings a security update which solves CVE-2024-38474 but apperantly breaks a lot of web pages, including software that is written with TYPO3 framework.<\/p>","protected":false},"author":2,"featured_media":6053,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":0,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_uag_custom_page_level_css":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-6052","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-allgemein","single-item"],"featured_image_urls_v2":{"full":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",1280,717,false],"thumbnail":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-150x150.png",150,150,true],"medium":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-300x168.png",300,168,true],"medium_large":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-768x430.png",751,420,true],"large":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-1024x574.png",751,421,true],"1536x1536":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",1280,717,false],"2048x2048":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",1280,717,false],"trp-custom-language-flag":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-18x10.png",18,10,true],"xs-thumb":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-64x64.png",64,64,true],"appku-shop-single":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",620,347,false]},"post_excerpt_stackable_v2":"
Since July 9 2024, Apache 2.4.60 has been released and brings a security update which solves CVE-2024-38474 but apperantly breaks a lot of web pages, including software that is written with TYPO3 framework. The update however is a disaster. And I will explain why: The patch in apache will throw a 403 Forbidden for every rewritten URL that contains %3F encoded in a URL. The reason for that is that attackers could smuggle in “?” queries and trick some CGI scripts to access files the user shouldn’t have permission to. For more info, read https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-38474 To further allow intended use,…<\/p>\n","category_list_v2":"Allgemein<\/a>","author_info_v2":{"name":"Carl-Philip H\u00e4nsch","url":"https:\/\/launix.de\/launix\/en\/author\/carli\/"},"comments_num_v2":"0 comments","uagb_featured_image_src":{"full":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",1280,717,false],"thumbnail":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-150x150.png",150,150,true],"medium":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-300x168.png",300,168,true],"medium_large":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-768x430.png",751,420,true],"large":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-1024x574.png",751,421,true],"1536x1536":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",1280,717,false],"2048x2048":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",1280,717,false],"trp-custom-language-flag":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-18x10.png",18,10,true],"xs-thumb":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280-64x64.png",64,64,true],"appku-shop-single":["https:\/\/launix.de\/launix\/wp-content\/uploads\/2024\/07\/hacker-8003396_1280.png",620,347,false]},"uagb_author_info":{"display_name":"Carl-Philip H\u00e4nsch","author_link":"https:\/\/launix.de\/launix\/en\/author\/carli\/"},"uagb_comment_info":0,"uagb_excerpt":"Since July 9 2024, Apache 2.4.60 has been released and brings a security update which solves CVE-2024-38474 but apperantly breaks a lot of web pages, including software that is written with TYPO3 framework.","_links":{"self":[{"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/posts\/6052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/comments?post=6052"}],"version-history":[{"count":4,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/posts\/6052\/revisions"}],"predecessor-version":[{"id":6116,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/posts\/6052\/revisions\/6116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/media\/6053"}],"wp:attachment":[{"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/media?parent=6052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/categories?post=6052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/launix.de\/launix\/en\/wp-json\/wp\/v2\/tags?post=6052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}