Description
A series of "Confusion Attacks" have been discovered in Apache HTTP Server, exploiting inconsistencies in how different modules interpret and process data. These attacks include Filename Confusion, DocumentRoot Confusion, and Handler Confusion, which can lead to various security issues including bypassing access controls, arbitrary file access, and execution of unintended handlers.
Remediation
Update to the latest version of Apache HTTP Server that addresses these Confusion Attacks. Carefully review and test all RewriteRules, especially those with user-controllable input. Limit the use of FollowSymLinks option and restrict access to sensitive directories. Regularly audit server configurations and installed modules for potential security issues.
References
Related Vulnerabilities
Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-1432)
Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-14885)
WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-6819)
MediaWiki URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-0364)
MySQL Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2018-0735)