#61673 closed enhancement (invalid)
URL-encoded _wp_http_referer causes Apache AH10508, leading to 403 in several places
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | major | Version: | 6.6 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
Apache has recently made a security fix which disallows rewriting URLs that contain a %3F (a URL-encoded question mark). See https://www.cve.org/CVERecord?id=CVE-2024-38474.
Apache will now return 403 whenever it rewrites a URL containing %3F.
Since WordPress puts the referer in form fields (_wp_http_referer), and browsers append this in a URL-encoded representation to the URL for GET requests, many WordPress pages/functions are no longer accessible.
To reproduce, use Apache 2.4.59 and up.
- Go to https://example.com/wp-admin/edit.php?post_type=page
- Type something in the search box and confirm
- This will lead to 403, since the originating URL contained a question mark
Apache offers the rewrite flag UnsafeAllow3F, but as far as I understand, it will reopen the vulnerability, so it's not a great solution. In addition, some hosters may not even allow their users to use this flag (the German hoster Strato being one of them).
This ticket is to ask the question: should WordPress change the referer mechanism as a consequence of the Apache vulnerability? Would it make sense to use base64 encoding for the URL to circumvent the issue?
Change History (3)
#2
in reply to:
↑ 1
@
5 months ago
- Resolution set to invalid
- Status changed from new to closed
Thank you for the links, that is very helpful!
Indeed, Strato has made changes so that the error does not occur at the moment.
Seeing that this now appears to be a hoster-related issue, it's probably fine to close the ticket.
The TYPO3 Security Team was able to prove that this problem is not a problem for which TYPO3 is responsible.
https://forge.typo3.org/issues/104410
Discussion about this (in german):
https://forum.t3academy.de/d/507-strato-create-content-forbidden-error-403-cve-2024-38474-unsafeallow3f/
The german Contao community also came to the conclusion that this problem is directly related to STRATO.
https://community.contao.org/de/showthread.php?87114-Fehler-403-Forbidden-durch-Cookiebar-AH10508-Unsafe-URL-with-3f-URL-rewritten
Maybe this will help you with further judgement 😉