Techly NewsGet the app

Get the latest tech news

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server


This is ๐ŸŠ speaking

This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. As you might know, I always aim to challenge big targets that can impact the entire internet, so I began searching for some complex topics or interesting open-source projects like Nginx, PHP, or even delved into RFCs to strengthen my understanding of protocol details. Since Apache HTTP Server decides whether to consider a file as a Server-Side Script based on the current directory or virtual host configuration, accessing target via an absolute path can confuse Httpdโ€™s logic, causing it to leak contents that should have been executed as code.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of apache http server

apache http server

Photo of confusion attacks

confusion attacks

ยซ Our Founder โ€“ Momofuku Ando
Linearizability: A correctness condition for concurrent objects ยป