VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 12, 2002· Updated Jun 16, 2026

CVE-2002-0661

CVE-2002-0661

Description

Directory traversal vulnerability in Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to read arbitrary files and execute commands via .. (dot dot) sequences containing \ (backslash) characters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

13
  • Apache/HTTP Server13 versions
    cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.28:beta:win32:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.32:beta:win32:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.34:beta:win32:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
    • (no CPE)range: >=2.0, <=2.0.39

Patches

Vulnerability mechanics

Root cause

"The Apache HTTP Server on Windows, OS2, and Netware did not properly sanitize directory traversal sequences containing backslashes."

Attack vector

A remote attacker can send a crafted URL containing `..` sequences with backslashes to traverse directories. This allows the attacker to read arbitrary files on the server. The vulnerability is present in Apache versions 2.0 through 2.0.39 when running on Windows, OS2, or Netware operating systems. The specific payload involves using `..\` sequences to navigate the file system.

Affected code

The vulnerability resides in the core request handling logic of the Apache HTTP Server, specifically how it processes URLs on Windows, OS2, and Netware platforms. The provided patch removes the `modules/experimental/util_ldap.c` file, which is unrelated to the directory traversal vulnerability described in the CVE.

What the fix does

The patch removes the `modules/experimental/util_ldap.c` file entirely. While the provided patch does not explicitly show the fix for the directory traversal vulnerability, the advisory indicates that Apache 2.0.40 and later versions address this issue by properly sanitizing path components. This prevents the server from interpreting malicious `..` sequences with backslashes as valid directory traversals.

Preconditions

  • configThe affected Apache HTTP Server version (2.0 through 2.0.39) must be running on a Windows, OS2, or Netware operating system.
  • networkThe attacker must have network access to the Apache HTTP Server.

Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.