This may occur if you have a file ending in .js that is served via a relative path, such as /julialang/file.js . File extensions are matched against the path, so if the .js file is served from a directory named /js with a relative path, such as /js/?foo=bar , the .js file will be accessed, causing a security risk. By default, all static files are served via a relative path, so you may need to update your .htaccess file to ensure that your static files are served with an absolute path, such as /js/myfile.js . If you are using a CDN or other third-party hosting service, you may need to update the URL in the header of your code.
Mitigate the risk
If you are using a CDN or other third-party hosting service, you may need to update the URL in the header of your code.
How to verify if you are susceptible to CVE-2021-22685
You can verify if you are susceptible to CVE-2021-22685 by inspecting your .htaccess file and looking for the code block below. If the path contains a wildcard, such as /* , then you are susceptible to this vulnerability.
How to fix the issue?
To ensure that your static files are served with an absolute path, update your .htaccess file to include an appropriate RewriteRule , such as the following one:
RewriteCond %{HTTP_HOST} ^www\.example\.com
RewriteRule ^(.*)$ /js/myfile.js/$1 [R=301,QSA]
How to fix Apache rewrite-failed error
If you are receiving the Apache rewrite-failed error, you may need to update your .htaccess file to ensure that your static files are served with an absolute path, such as /js/myfile.js . If you are using a CDN or other third-party hosting service, you may need to update the URL in the header of your code.
Timeline
Published on: 10/14/2022 17:15:00 UTC
Last modified on: 10/15/2022 02:26:00 UTC