critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
Original Post:
We discussed this vulnerability during Episode 89 on 11 October 2021
Bit of a saga starting with a patch to Apache httpd earlier this year that introduced an old vulnerability back into the Apache when encountering
Apache not properly handling URL encoded values allowing an encoding like .%2e/
to be decoded as ../
but not be detected as a directory traversal during earlier processing. The patch for this added a check for .%2e
(the particular case required the first .
not be encoded) but later use of the path do more decoding so by double encoding the second .
traversal was enabled again.