Orange Tsai's research presented at Black Hat USA 2024 dives deep into the Apache HTTP Server, uncovering architectural issues and multiple vulnerabilities. Key findings include three confusion attack types, nine new vulnerabilities, and over twenty exploitation techniques. Notable issues involve bypassing access controls, escaping the web root via unsafe RewriteRule configurations, and transforming XSS vulnerabilities into RCEs. Akamai has already released mitigation measures. The research emphasizes the critical need for updates and secure configurations to prevent potential exploitation.
Table of contents
TL;DROutlineBefore the StoryHow Did the Story Begin?Why Apache HTTP Server Smells Bad?A Whole New Attack — Confusion AttackFuture WorksConclusionSort: