The second argument of the RewriteRule directive specifies the substituted URI reference or file path. A very common misconception is that the substituted string is always taken to mean a URI reference relative to the DocumentRoot.
For example, one might try the following rule to append a query parameter to an incoming request.
But given that the substitution string is first tried as an absolute filesystem path, and if that doesn't work, as relative to the DocumentRoot, a request such as http://example.com/etc/passwd would serve the system password table.
One solution is to prepend the document root in cases where the resulting path could be ambiguous. Such as:
Mitigating Information Disclosure
The best way to avoid situations like this is to only allow access to file paths relevant to the context at hand. For example:
In this way, vhosts are restricted to their relevant areas in cases of overly promiscuous rewrite rules. Most, if not all, installations of Apache do this already (denying from all in the / directory).