Apache 2.4.60+ and phpBB 3.3.x

[Eisrose]

Since Apache version 2.4.60 (from July 3rd) it is no longer allowed to encode question marks in the URL with %3F. Question marks encoded with %3f produce a 403 error. This affects the Apache standard settings.

Various phpBB pages produce an URL in which the question mark is encoded with %3f in the redirect variable. We now get a 403 error there. This affects various moderator functions at the bottom of the page and the login from a subpage.

If you have access to the Apache settings, this error can be switched off using "UnsafeAllow3F". But this is not possible with packages from a hoster and they are usually not willing to change the Apache standard settings.

Is this already known and is something being done about it?

[thecoalman]

Bugs should be reported to bug tracker. I don't see anything reported about it.

http://tracker.phpbb.com/

[P_I]

The Apache change is to deal with CVE-2024-38474. It is covered in https://httpd.apache.org/docs/current/r ... e_allow_3f

Setting this flag is required to allow a rewrite to continue If the HTTP request being written has an encoded question mark, '%3f', and the rewritten result has a '?' in the substitution. This protects from a malicious URL taking advantage of a capture and re-substitution of the encoded question mark.

[Eisrose]

Can I just enter this into the bug tracker?

[danieltj]

Can I just enter this into the bug tracker?

Yes. If no one else has made a report in the bug tracker about it yet then feel free to create a ticket yourself. Even if you don’t write any code to address the issue, opening a ticket is still valuable.

Just make sure to include plenty of detail.