Original Post: critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
This vulnerability was analyzed during Episode 89 on 11 October 2021
Bit of a saga starting with a patch to Apache httpd earlier this year that introduced an old vulnerability back into the Apache when encountering
Apache not properly handling URL encoded values allowing an encoding like .%2e/ to be decoded as ../ but not be detected as a directory traversal during earlier processing. The patch for this added a check for .%2e (the particular case required the first . not be encoded) but later use of the path do more decoding so by double encoding the second . traversal was enabled again.