in http server (nhttpd) vulnerability
(CVE-2019-16278) that allows an attacker to remotely execute their code on a server by sending a specially crafted HTTP request. Issue will be fixed in release (not published yet). According to the information from the Shodan search engine, the Nostromo http server is used on approximately 2000 publicly accessible hosts.
The vulnerability is caused by an error in the http_verify function, which allows access to the contents of the file system outside the site's root directory by passing the sequence ".%0d./" in the path. The vulnerability manifests itself because the check for the presence of the characters "../" is performed before the path normalization function is executed, in which newline characters (% 0d) are removed from the string.
For vulnerability, you can access /bin/sh instead of a CGI script and execute any shell construct by sending a POST request to the URI "/.%0d./.%0d./.%0d./.%0d./bin/sh β and passing the commands in the request body. Interestingly, a similar vulnerability (CVE-2011-2011) was already fixed in Nostromo in 0751, which allowed an attack via sending the request "/..%2f..%2f..%2fbin/sh".
Source: opennet.ru