Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apache is an open source HTTP server that is used all around the world. Finding vulnerabilities in this that lead to RCE or file disclosure is a huge deal.

A flaw was found in the path normalization code that allowed for a path traversal to map URLs to files outside of the document root.

The payload was .%2e/, which should have been normalized to the normal directory. For whatever reason, this was URL decoded down the road but not properly sanitized.

A file of .%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd could be used to escape the web server root to bring back the password file. A directory traversal in Apache in 2021; that is insane! Here is a proof of concept. URL parsing is extremely difficult!

Some further information about this can be found at SANS. The particular code had not been changed in 20+ years! The code author was trying to simplify the parsing for normalization and validation, but did not understand the security implications of the changes. The URL decoding checks for the . (period) appears to be removed.