Vulnerabilities in Apache functions have been at the root of significant breaches, including the one suffered by Equifax. Now new research indicates that another such vulnerability may be putting thousands of applications at risk.
Lawrence Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, found an issue with the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application.
The problem, Cashdollar said, is that .htaccess functionality was turned off by default beginning in Apache Version 2.3.9 – though for good reasons. "It turns out that it was a performance hit for the Apache server," he told Dark Reading, explaining that every time a directory was opened, a call to the files in .htaccess would result.
Even more serious, he said, were the security implications. "Users could use this .htaccess access to override security controls for the server itself or the server configuration itself," Cashdollar said. "So it was a security feature that could be misused."