Is Apache vulnerable to HTTP POST data contains dot dot path (HTTP_POST_dotdot_data)?

Solution Verified - Updated -

Issue

As per ISS vulnerability: HTTP_POST_dotdot_data.htm :

An attacker is attempting to access an unauthorized file on a Web server. Some Web servers use a "hidden" form field containing a file name to control the operation of a server program. However, even though the field is hidden, it can be overwritten. When the form is submitted to the server, the server may neglect to check for the validity of the field value. Thus, by submitting faulty field values, an attacker may be able to access files on the Web server that contain sensitive information.

Environment

  • Red Hat Enterprise Linux 5
  • httpd-2.2.3-43

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In