O(SINT) PositiveOrange Tsai's Black Hat USA 2024 research revealed architectural vulnerabilities in Apache HTTP Server, identifying three types of "Confusion Attacks" exploiting inconsistencies between Httpd modules.
These led to 9 new vulnerabilities and 20 exploitation techniques, including bypassing access controls and arbitrary file access outside the web root. The findings highlight challenges in balancing backward compatibility with security in long-standing open-source projects.
Akamai proactively collaborated with Tsai before his presentation, implementing preemptive protections against these vulnerabilities in their App & API Protector web application firewall service.
Orange Tsai's Research findings: https://blog.orange.tw/2024/08/confusion-attacks-en.html
Blackhat Presentation: https://i.blackhat.com/BH-US-24/Presentations/US24-Orange-Confusion-Attacks-Exploiting-Hidden-Semantic-Thursday.pdf
Akami acknowledgement and mitigations: https://www.akamai.com/blog/security-research/2024-august-apache-waf-proactive-collaboration-orange-tsai-devcore
