in http server
(CVE-2019-16278) that allows an attacker to remotely execute their code on a server by sending a specially crafted HTTP request. Issue will be fixed in release
The vulnerability is caused by an error in the http_verify function, which allows access to the contents of the file system outside the site's root directory by passing the sequence ".%0d./" in the path. The vulnerability manifests itself because the check for the presence of the characters "../" is performed before the path normalization function is executed, in which newline characters (% 0d) are removed from the string.
For
Source: opennet.ru