- Status Closed
-
Assigned To
cbay - Private
Opened by Att4ker - 13.03.2026
Last edited by cbay - 16.03.2026
FS#305 - Security Report: Apache Directive Injection Through Site Configuration API
Hello Security Team,
I would like to report a security issue identified while testing site configuration through the API.
Name of vulnerability:
Apache directive injection through vhost_additional_directives in site configuration API
Description:
The vhost_additional_directives field appears to accept Apache directive content without filtering. In testing performed on a site under my own account, a directive supplied through this field was applied to the generated virtual host configuration and became active on the hosted site.
A simple Alias directive was accepted and mapped a local file to a public path, indicating that directives provided through this field are interpreted by Apache as part of the site configuration.
Steps to reproduce:
Using a site under my own account, I sent the following PATCH request:
curl -u "<account>:<password>"
-X PATCH "https://api.alwaysdata.com/v1/site/<site_id>/"
-H "Content-Type: application/json"
-d '{"vhost_additional_directives":"Alias /readfile /etc/passwd"}'
After the configuration was applied, I accessed:
https://<test-subdomain>.alwaysdata.net/readfile
The response returned the contents of /etc/passwd. A screenshot showing both the request and the resulting response is attached for reference.
Impact:
This behavior suggests that directives supplied through the API may be applied without validation, allowing configuration changes beyond the intended scope of this field. In the tested case, it resulted in local file exposure through a web-accessible path on a site under my own account.
Vulnerable HTTP Request and Response:
Request:
PATCH /v1/site/<site_id>/ HTTP/1.1
Content-Type: application/json
{
"vhost_additional_directives": "Alias /readfile /etc/passwd"
}
Observed response after visiting the configured path:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
…
Remediation:
A possible remediation would be to validate or restrict directives accepted in vhost_additional_directives, allow only expected configuration directives, and reject directives that expose filesystem paths or alter request routing outside the intended use of this field.
Testing was limited to infrastructure associated with my own account. No destructive actions were performed, and only read verification was used to confirm the behavior.
Please let me know if any additional details would be helpful.
Best regards
PoC_Screenshot.png
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
I can confirm that there is no validation, on purpose. It lets you modify your own Apache configuration as you want, without any restriction.
That's not a security issue as it doesn't let you do anything that you couldn't do otherwise. For instance, reading /etc/passwd can be done by simply doing a "cat /etc/passwd" in SSH.
Kind regards,
Cyril
Hello Cyril,
Thank you for the clarification and for reviewing the report.
Understood — if unrestricted Apache directives are considered part of the intended customer configuration model, then that explains the behavior.
My reasoning was mainly that exposing server-readable files through HTTP routing could slightly change accessibility compared with shell-only access, but I understand your position that this does not cross an intended privilege boundary for the account owner.
Thank you again for the clarification.
Kind regards