Apache RewriteRule htaccess security

Question

If I configure an .htaccess file like this :

RewriteEngine On
RewriteRule ^([^/]*)$ /view.php?key=$1 [L]

Which transforms:

original URL   http://www.example.com/view.php?key=123
rewritten URL  http://www.example.com/123

Is there any way for an attacker to find the real PHP file (here view.php) and directly access it (in the URL bar)? Considering URL-bruteforce is not an option, nor .htaccess reading.

score 1 · Answer 1 · answered Jan 13 '15 at 10:45

1

There are several ways; php could have display_errors on or you could have HTML source or links that reveal the file location.

URL is a little trickier, but using something like ///view.php might do the job.

answered Jan 13 '15 at 10:45

wireghoul

5,745
2
17
26

Apache RewriteRule htaccess security

1 Answers1