critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

We discussed this vulnerability during Episode 89 on 11 October 2021

Bit of a saga starting with a patch to Apache httpd earlier this year that introduced an old vulnerability back into the Apache when encountering

Apache not properly handling URL encoded values allowing an encoding like .%2e/ to be decoded as ../ but not be detected as a directory traversal during earlier processing. The patch for this added a check for .%2e (the particular case required the first . not be encoded) but later use of the path do more decoding so by double encoding the second . traversal was enabled again.