Path Traversal or Remote Code Execution in Apache 2.4.49 and 2.4.50

  • A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
  • An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. It turns out that, if CGI scripts are also enabled for these aliased paths, this could lead to RCE attacks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CSCC LABS

CSCC LABS

Cybersecurity Comprehensive Coverage