ASA-2019-00173 – Apache HTTP Server: URL normalization inconsistencies

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00173

Identifier(s)

ASA-2019-00173, CVE-2019-0220

Title

URL normalization inconsistencies

Vendor(s)

Apache Software Foundation

Product(s)

Apache HTTP Server (httpd)

Affected version(s)

Apache HTTP Server version 2.4.0 to 2.4.39

Fixed version(s)

Apache HTTP Server 2.4.39

Proof of concept

Unknown

Description

When the path component of a request URL contains multiple consecutive slashes (‘/’), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Technical details

Unknown

Credits

Bernhard Lorenz  (Alpha Strike Labs GmbH)

Reference(s)

httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0220: URL normalization inconsistincies
https://seclists.org/oss-sec/2019/q2/5

CVE-2019-0220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220

CVE-2019-0220
https://nvd.nist.gov/vuln/detail/CVE-2019-0220

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.