I was surprised to read this evening that the Apache Web Server just fixed an actively exploited path traversal flaw.

🚨 Apache has disclosed an *actively exploited* Path traversal flaw in the #open­source "httpd" server. Over 112,000 exposed Apache servers run version 2.4.49, and should be upgraded now!
New fix checks for encoded path traversal characters e.g. /../.%2E/https://t.co/1tLNc3LAul pic.twitter.com/mDHLEU3k9N
— Ax Sharma (@Ax_Sharma) October 5, 2021

Apparently, it was introduced over a year ago.

I'm gobsmacked that Apache didn't have a robust suite of tests for this.

Directory Traversal attacks have been a problem for web servers since the beginning. OWASP, PortSwig­ger, and Spanning all have ex­pla­na­tions that you can read. The essence is that you make …continue.

From October 1996 to May 1997, I wrote a number of sample components for the then-new Active Server Pages (Classic ASP). I worked for Mi­cro­Crafts, a consulting company in Redmond, WA; the samples were written for Mi­crosoft­'s Internet In­for­ma­tion Server (IIS) team. Most of the components used Mi­crosoft­'s new Active Template Library (ATL), a C++ library for COM.

This work had two important con­se­quences for me: Microsoft recruited me to join the IIS de­vel­op­ment team to work on improving ASP per­for­mance for IIS 3, and Wrox Press invited me to write Beginning ATL COM Pro­gram­ming I was originally supposed to be the sole author of the book, but I was a slow writer and I was …continue.

Perusing Eric S. Raymond's blog recently, I noticed his claim that as a one-time maintainer of GIFLIB, just about every cellphone and browser has some of his software running in it.

That got me thinking about my own reach and where software that I've con­tributed to can be found.

‘Oh that a man's reach should exceed his grasp, or what's a Heaven for?’

—Robert Browning

I spent seven years on the IIS (Internet In­for­ma­tion Services) de­vel­op­ment team at Microsoft. By any measure, that's a successful product, running one-third of all websites. There are over 100 million registered websites. Many of them are parked and many others see negligible volume, but that's millions, perhaps tens …continue.