Techly NewsGet the app

Get the latest tech news

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server


This is 🍊 speaking

This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. As you might know, I always aim to challenge big targets that can impact the entire internet, so I began searching for some complex topics or interesting open-source projects like Nginx, PHP, or even delved into RFCs to strengthen my understanding of protocol details. Since Apache HTTP Server decides whether to consider a file as a Server-Side Script based on the current directory or virtual host configuration, accessing target via an absolute path can confuse Httpd’s logic, causing it to leak contents that should have been executed as code.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of apache http server

apache http server

Photo of confusion attacks

confusion attacks

« Our Founder – Momofuku Ando
Linearizability: A correctness condition for concurrent objects »