JochenL
CL Byte Sprite
Staff member
Adamantium WoA
Wizard of Story
Wizard of Combat
Gamer Lifestyle
Borderland Explorer
- CC.com uses XenForo.
- For some interactions it uses JS-initiated Server Calls.
- These calls can contain redirect URLs with parameters.
- URL-Parameters that contain URLs with parameters need to escape them.
- For ? the code %3F is used.
- This code may be used to trigger a vulnerability in Apache's mod_rewrite (https://ubuntu.com/security/notices/USN-6885-1).
- Therefore, our provider obviously switched to a new version of Apache which deactivates %3F rewrites.
- There is a flag UnsafeAllow3F to still allow rewriting of %3F.
- We cannot overwrite this flag. Understandably so, as the vulnerability can crash the web server for all customers.
- The effect on us is that using such an interaction triggers a "Oops, something went wrong" (or similar) popup and effectively stops executing the action.
- My current workaround is Ctrl+Click the action which causes as new tab to appear where you can continue the action circumventing the limitation of the Rewrite Module Flag.