alt Hacker NewsFrom the link, on how the attack works:
An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be https://example.com/health?x=/protected, and request.url.path would return /health instead of the real request path.
Replies
Muromec • today at 9:31 AM
So the classic case of two parsers disagreing and being too permissive in accepting input
huflungdung • today at 10:22 AM
[dead]
I found a similar vulnerability in the Zeus Web Server ( https://en.wikipedia.org/wiki/Zeus_Web_Server ) in January 2000.
Zeus had a great feature where you could set up virtual servers just by creating directories. So if you wanted to host www.example.com and www.anotherexample.com you just created two directories of those names like that and away you went.
I discovered that the if you sent `Host:` headers which started with `/` then you could use it to traverse the file system and read any file you wanted.
Plus ça change, plus c'est la même chose!