oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2019-0220: URL normalization inconsistincies

From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:27 -0500

CVE-2019-0220: URL normalization inconsistincies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.39

Description:
When the path component of a request URL contains multiple consecutive slashes
('/'), directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers processing
will implicitly collapse them.
    
Mitigation:
Regular expressions used in directives that match against the path component
of the request URL can be modified to account for multiple consecutive slashes.

Credit:
The issue was discovered by Bernhard Lorenz <bernhard.lorenz () alphastrike io> 
of Alpha Strike Labs GmbH".

References:
https://httpd.apache.org/security/vulnerabilities_24.html
Previous By Date Next
Previous By Thread Next

Current thread: