CERN HTTPD access control bypass

Summary

It is possible to access protected web pages by changing / with // or /./ This was a bug in old versions of CERN web server A work around consisted in rejecting patterns like: //* *//* /./* */./*

Solution

Upgrade your web server or tighten your filtering rules

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

IIS Service Pack - 404
GoAhead Webserver Multiple Stored Cross Site Scripting Vulnerabilities
Cross-Site Scripting in Cherokee Error Pages
iWeb Server URL Directory Traversal Vulnerability
Home Web Server Graphical User Interface Remote Denial Of Service Vulnerability