Apache – CVE-2017-15715

Description

Kayran has detected that the Version of Apache HTTP Server being used is vulnerable to ‘bypass with a trailing newline in the file name’.

CVE-2017-15715 is categorized as an ‘Improper Input Validation’ vulnerability (CWE-20).
That means that the product receives an input or data, but it does not validate or incorrectly validates that the input actually has the properties that are required to process the data safely and correctly.

The expression specified in could possibly match ‘$’ to a newline character in a malicious filename. Rather than matching only the end of the filename.
This could be exploited in environments where uploads of some files are are blocked externally, but only by matching the trailing portion of the filename.

It will lead to information being disclosed, assisting attackers in performing attacks against your assets.
There’s a chance that this vulnerability will allow attackers to modify system files and information. Also, it could cause a decrease in performance and interruptions in the availability of resources.

Recommendation

To fix CVE-2017-15715, upgrade the version of Apache HTTP Server being used to 2.4.33.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715

https://cwe.mitre.org/data/definitions/20.html

< Return to all Vulnerabilities

Blue Team

We’ve talked about The Red Team before, but what about The Blue Team? How is this group different from the red one? Why would we

Read More »

Servers 101

Let’s have a “quick” Servers 101 Course. Courtesy of Kayran! If you’ve been on the internet for over an hour, you probably already heard of

Read More »

SQLI to RCE

How to preform SQLI TO RCE? One of the most interesting and important things about any site is the database. So, it’s important to protect

Read More »

The Dark Web

Let’s talk about the darker and more mysterious side of the internet, also known as The Dark Web. You’ve probably heard about it, whether it’s

Read More »

Browser Exploitation

We know that it’s possible to exploit weaknesses (or vulnerabilities) that exist in anything, from a certain code to the entire application, let’s talk about

Read More »