first commit

httpd/CVE-2017-15715/Dockerfile

@@ -0,0 +1,7 @@
+FROM vulhub/php:5.5-apache
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY index.php /var/www/html/
+
+RUN chown www-data:www-data -R /var/www/html

httpd/CVE-2017-15715/README.md

@@ -0,0 +1,35 @@
+# Apache HTTPD Newline Parsing Vulnerability (CVE-2017-15715)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTPD is a widely-used HTTP server that can run PHP web pages through mod_php. A parsing vulnerability exists in versions 2.4.0 through 2.4.29, where a filename ending with `1.php\x0A` will be treated as a PHP file, allowing attackers to bypass certain server security policies.
+
+References:
+
+- <https://httpd.apache.org/security/vulnerabilities_24.html>
+- <https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html>
+
+## Environment Setup
+
+Execute the following commands to build and start a vulnerable Apache HTTPD server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, Apache will be running at `http://your-ip:8080`.
+
+## Vulnerability Reproduction
+
+First, try to upload a file named `1.php`. The upload will be blocked by the security check:
+
+![Upload blocked by security check](1.png)
+
+However, if we append a `\x0A` (note: must be `\x0A` alone, not `\x0D\x0A`) to the filename `1.php`, the upload will succeed:
+
+![Successful upload with newline character](2.png)
+
+When accessing the uploaded file at `/1.php%0a`, it will be successfully parsed as a PHP file, despite not having a proper PHP extension. This confirms the existence of the parsing vulnerability:
+
+![Successful PHP execution](3.png)

httpd/CVE-2017-15715/README.zh-cn.md

@@ -0,0 +1,35 @@
+# Apache HTTPD 换行符解析漏洞（CVE-2017-15715）
+
+[English](README.md)
+
+Apache HTTPD 是一个广泛使用的 HTTP 服务器，可以通过 mod_php 模块来运行 PHP 网页。在其 2.4.0 到 2.4.29 版本中存在一个解析漏洞，当文件名以 `1.php\x0A` 结尾时，该文件会被按照 PHP 文件进行解析，这使得攻击者可以绕过服务器的一些安全策略。
+
+参考链接：
+
+- <https://httpd.apache.org/security/vulnerabilities_24.html>
+- <https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html>
+
+## 环境搭建
+
+执行如下命令来编译并启动漏洞环境：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，Apache 将运行在 `http://your-ip:8080`。
+
+## 漏洞复现
+
+首先，尝试上传一个名为 `1.php` 的文件，可以看到上传被安全检查拦截：
+
+![上传被安全检查拦截](1.png)
+
+但是，如果我们在文件名 `1.php` 后面添加一个 `\x0A`（注意：必须是单独的 `\x0A`，而不是 `\x0D\x0A`），上传就会成功：
+
+![使用换行符成功上传](2.png)
+
+当访问上传的文件 `/1.php%0a` 时，虽然该文件没有正确的 PHP 扩展名，但它会被成功解析为 PHP 文件。这证实了解析漏洞的存在：
+
+![成功执行 PHP 代码](3.png)

httpd/CVE-2017-15715/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"

httpd/CVE-2017-15715/index.php

@@ -0,0 +1,33 @@
+<?php
+if(isset($_FILES['file'])) {
+    $name = basename($_POST['name']);
+    $ext = pathinfo($name,PATHINFO_EXTENSION);
+    if(in_array($ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {
+        exit('bad file');
+    }
+    move_uploaded_file($_FILES['file']['tmp_name'], './' . $name);
+} else {
+
+?>
+
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Upload</title>
+</head>
+<body>
+<form method="POST" enctype="multipart/form-data">
+	<p>
+		<label>file:<input type="file" name="file"></label>
+	</p>
+	<p>
+		<label>filename:<input type="text" name="name" value="evil.php"></label>
+	</p>
+	<input type="submit">
+</form>
+</body>
+</html>
+
+<?php
+}
+?>