Apache WebServer Directory Traversal & Path Disclosure Vulnerabilities (CVE-2002-0661/0654)

Vulnerability Key Information 1. Vulnerability Overview Application: Apache WebServer Version: 2.0.39 and earlier (only on systems supporting backslash path separators, such as Windows/Netware/OS2) Vulnerability Type: - Directory traversal vulnerability (CVE-2002-0661) - Path disclosure bug (CVE-2002-0654) 2. Risk and Impact High Risk: Attackers can access any file on the system and execute code via the path. Low Risk: Attackers can disclose server paths, gaining additional information about the server (e.g., hidden administrator details). 3. Examples and Specific Issues Path Disclosure (CVE-2002-0654): - Specific URL requests cause the server to respond with the full file path. - Example: Directory Traversal (CVE-2002-0661): - The backslash character (equivalent to ) is not treated as malicious and can be used to traverse directories. - Example: can be used to access the file. - Attackers can also execute commands via the path, e.g., 4. Mitigation Recommendations Official Fix: Upgrade to Apache 2.0.40. Temporary Workaround: - In the global server configuration of , add before any or directives. 5. Additional Information For more detailed information, refer to the Apache official website: http://httpd.apache.org

Goal Reached Thanks to every supporter — we hit 100%!

Apache WebServer Directory Traversal & Path Disclosure Vulnerabilities (CVE-2002-0661/0654)