[Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
Using Apache access rules to protect access to SOAP/REST endpoints is not fully working.
For example:
<Location /index.fcgi/sessions>
Require all denied
</Location>
Will block access to http://auth.example.com/sessions, thanks to this rewrite rule:
RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
But the URL http://auth.example.com/index.fcgi/sessions is valid and not protected. URL http://auth.example.com/index.fcgi/index.fcgi/sessions is also valid, etc.
Edited by Maxime Besson