The Apache 2.0.x Win32 installation is shipped with a default script, /cgi-bin/test-cgi.bat, that allows an attacker to execute commands on the Apache server (although it is reported that any .bat file could open this vulnerability.) An attacker can send a pipe character with commands appended as parameters, which are then executed by Apache.
This bug is fixed in 1.3.24 and 2.0.34-beta, or remove /cgi-bin/test-cgi.bat
- IBM WebSphere Application Server (WAS) Multiple Vulnerabilities - March 2011
- Lighttpd 'mod_userdir' Case Sensitive Comparison Security Bypass Vulnerability
- IIS directory traversal
- IBM WebSphere Application Server (WAS) Multiple Vulnerabilities - (Jan2012)
- Apache Traffic Server Synthetic Health Checks Remote DoS Vulnerability