Really impressive to find that many exploitable issues without once relying on a buffer overflow.
> Why Apache HTTP Server Smells Bad?
In the end:
> The entire development process must be carefully built upon a pile of legacy code and technical debt. So, if any Apache HTTP Server developers are reading this: Thank you for your hard work and contributions!
Quite the tone shift, a bit amusing, but definitely an attention catching choice and immensely cool that people are doing research like this.
I'm fairly sure that most large systems have a bunch of potential vulnerabilities, for example you can most likely do more with Apache than you can with Nginx due to its dynamic nature and module system, but at the same time that comes with dangers like this.
* A maybe ill-advised architecture where lots of independently-developed modules cooperate to handle a request, all working on an over-complicated under-specified request "object".
* The requirement to honor `httpd.conf` file structures dating back to the 1990s, which has led to legacy support code paths that do surprising things.
The core of this article is a two-step attack that exploits (1) the fact that modules alternately interpret `request->filename` as a filename and as a URL, which allows attackers to truncate URLs at path separator characters, which by itself can slip you past some basic ACLs, and (2) the fact that Apache will try to serve request both with and without the `DocumentRoot` applied, which, combined with the first attack pattern, means that config directives that have attacker-controlled targets give attackers full filesystem access. Hilarity ensues.
There's a really slick attack here that takes you from CRLF-injection to SSRF and RCE, which is neat, because CRLF-injection ("header splitting") would ordinarily not be that interesting of an attack.
This is great stuff that just makes me wish more people ran Apache in 2024.