lucee-docs icon indicating copy to clipboard operation
lucee-docs copied to clipboard

Published 20 hours ago verified publisher icon lucee

Update Apache example to use regex match

Open gt-kahootz opened this issue 2 years ago • 2 comments

The example Apache Location directive shown in the lockdown guide can be bypasseed by crafting URL's that contain semi-colons.

So a URL like /;/lucee/admin/server.cfm would bypass that directive and give access to the Lucee Admin app to request from any IP.

Alternatively, you could use <LocationMatch /lucee>... instead of using the ~.

gt-kahootz avatar Feb 09 '23 11:02 gt-kahootz

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Feb 09 '23 11:02 CLAassistant

Great input! Thx for pointing that out!!! Just updated also the docs here: https://github.com/lucee/lucee-docs/pull/1345 and https://github.com/lucee/lucee-docs/pull/1346

and also updated the video: https://www.youtube.com/watch?v=Y4zKiOSqFGw

andreasRu avatar Feb 10 '23 14:02 andreasRu