This document aims at explaining some recent vulnerabilities in Apache HTTP Server that leads to attacks like Path Traversal and Remote Code Execution. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed.
- Understanding the vulnerability
- Looking at the criticality and the CVSS score of the CVE
- Covering about the scope of impact
- Learning how to mitigate the vulnerability
- Setting up the lab and understanding the exploitation scenario
- Performing the exploit in lab environment