[Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
Using Apache access rules to protect access to SOAP/REST endpoints is not fully working.
<Location /index.fcgi/sessions> Require all denied </Location>
Will block access to http://auth.example.com/sessions, thanks to this rewrite rule:
But the URL http://auth.example.com/index.fcgi/sessions is valid and not protected. URL http://auth.example.com/index.fcgi/index.fcgi/sessions is also valid, etc.