Is Apache vulnerable to HTTP POST data contains dot dot path (HTTP_POST_dotdot_data)?
Issue
As per ISS vulnerability: HTTP_POST_dotdot_data.htm :
An attacker is attempting to access an unauthorized file on a Web server. Some Web servers use a "hidden" form field containing a file name to control the operation of a server program. However, even though the field is hidden, it can be overwritten. When the form is submitted to the server, the server may neglect to check for the validity of the field value. Thus, by submitting faulty field values, an attacker may be able to access files on the Web server that contain sensitive information.
Environment
- Red Hat Enterprise Linux 5
- httpd-2.2.3-43
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.