Apache mod_rewrite open redirect
Description
Apache HTTP Server versions 2.4.0 through 2.4.39 contain an open redirect vulnerability in the mod_rewrite module (CVE-2019-10098). When mod_rewrite rules are configured to perform self-referential redirects, attackers can bypass the intended redirect logic by injecting encoded newline characters into the request URL. This causes the server to redirect users to an attacker-controlled destination instead of the intended location. The vulnerability was discovered by Yukitsugu Sasaki and affects improperly configured rewrite rules that do not adequately validate redirect targets.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade Apache HTTP Server
Update to Apache httpd version 2.4.41 or later, which contains the fix for CVE-2019-10098. Verify your current version using:
httpd -v
2. Review mod_rewrite Rules
Audit your existing mod_rewrite configurations for redirect rules that may be vulnerable. Pay special attention to rules that use the [R] or [redirect] flags with user-supplied input.
3. Implement Secure Redirect Patterns
If upgrading immediately is not possible, modify rewrite rules to validate redirect targets. Use whitelist-based approaches:
# Example: Restrict redirects to specific allowed domains
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
# Avoid using user input directly in redirect targets
# BAD: RewriteRule ^/redirect/(.*)$ $1 [R,L]
# GOOD: Use explicit mappings or strict validation4. Verify the Fix
After upgrading or modifying configurations, test that encoded newlines and other special characters in URLs do not cause unexpected redirects.