Thruk not working since CVE-2024-38474 is fixed in httpd

[gslongo]

Describe the bug After upgrading to the latest version of httpd on Rocky Linux 9 (httpd-2.4.57-11.el9_4.1.x86_64) there is an issue with Thruk interface

To workaround, I updated the file /usr/share/thruk/thruk_cookie_auth.include like so :

14,15c14,15
< RewriteRule ^(.*)$                   ${thruk_users:$1|/loginbad/} [C,NS]
< RewriteRule ^/pass/(.*)$             /$1 [NS,PT,L,E=!REMOTE_USER]
---
> RewriteRule ^(.*)$                   ${thruk_users:$1|/loginbad/} [C,NS,UnsafeAllow3F]
> RewriteRule ^/pass/(.*)$             /$1 [NS,PT,L,E=!REMOTE_USER,UnsafeAllow3F]

Thruk Version 3.16-13102.1.x86_64

To Reproduce On EL9 update to last packages version

Expected behavior Login possible

Screenshots 403 Forbidden when going to the login page (http://host/thruk/)

Desktop (please complete the following information): N/A

Additional context Due to CVE-2024-38474 We need to add UnsafeAllow3F to some RewriteRule

[sni]

Thanks for the report. This has been fixed with c027ea1d27956d85d821daacfb3e358d5e422878 already and works well on all systems, except rhel9 where it started to fail since friday. Funny enough, doing some tests on rocky 9 revealed strange behavior. Having a url like main.cgi? triggers the error on rhel9 while testing an url like main.cgi%3f does work. I would have expected it the other way round.

Adding the UnsafeAllow3F option helps, but cannot be added as general workaround, because it simply does not exist on older apaches.

[sni]

It should be fine now, i added a configure flag to add this UnsafeAllow3F flag to the apache config and added autodetection to set this flag on rhel8 and rhel9.

[Kornelljus]

It seems that /usr/share/thruk/thruk_cookie_auth.include file is not the latest one (i can see in git, that it is updated, but from package i dont get that file). Removing thruk-base and installing it again gives this

# extend default virtual host. put/include these rewrite rules in https or
# any other virtual host if you want to enable cookie authentication

# redirect /thruk -> /thruk/ to avoid problems with cookies
RewriteRule ^/thruk$              /thruk/ [R=302,L]

# cookie based authentication
RewriteEngine On
RewriteMap  thruk_users              prg:/usr/share/thruk/thruk_auth
RewriteCond %{REQUEST_URI}           !^/thruk/cgi-bin/restricted.cgi
RewriteCond %{REQUEST_URI}           ^/thruk
RewriteCond %{HTTP_COOKIE}           (thruk_auth=[^;]+|$)  [NC]
RewriteRule ^/(.*)$                  /%1/%{REMOTE_ADDR}~~%{HTTP:Authorization}~~%{HTTP:X-Thruk-Auth-Key}~~%{HTTP:X-Thruk-Auth-User}/____/$1/____/%{QUERY_STRING} [C,NS]
RewriteRule ^(.*)$                   ${thruk_users:$1|/loginbad/} [C,NS]
RewriteRule ^/pass/(.*)$             /$1 [NS,PT,L,E=!REMOTE_USER]
RewriteRule ^/redirect/(.*)$         /$1 [NS,L,R=302]
RewriteRule ^/loginok/([^/]+)/(.*)$  /$2 [NS,PT,L,E=REMOTE_USER:$1]

# finally exclude everything from basic auth, except the restricted.cgi
<LocationMatch ^/thruk(?!/cgi-bin/restricted.cgi)>
    Require all granted
</LocationMatch>

AllowEncodedSlashes NoDecode

Instead of RewriteRule ^/(.*)$ /auth:%1/%{REMOTE_ADDR} <......> which fails to restart thruk due to redirect limits.

Using deb11.

ii  thruk                                3.16+1                             amd64        Monitoring Webinterface for Nagios/Naemon/Icinga and Shinken
ii  thruk-base                           3.16+1                             amd64        Monitoring Webinterface for Nagios/Icinga and Shinken

[sni]

@Kornelljus that's another issue and not related to the UnsafeAllow3F thing. Your's was fixed in https://github.com/sni/Thruk/commit/45a2cde8cc2c5785475f2357df4c862c888a19cd But there was no Thruk release since, so reinstalling the latest stable does not change anything. I will see if i find some time to do a proper release.

[Kornelljus]

Amazing. Thanks for the fast response.

[sni]

should be fine with the latest v3.18 release