Merge pull request vulhub#602 from vulhub/httpd-translate

Update Apache HTTPD documentation

environments.toml

@@ -539,7 +539,7 @@ app = "Hadoop YARN"
 path = "hadoop/unauthorized-yarn"
 
 [[environment]]
-name = "Apache HTTPD Newline Parsing"
+name = "Apache HTTPD Newline Parsing Vulnerability"
 cve = ["CVE-2017-15715"]
 app = "Apache HTTP Server"
 path = "httpd/CVE-2017-15715"
@@ -563,13 +563,13 @@ app = "Apache HTTP Server"
 path = "httpd/CVE-2021-42013"
 
 [[environment]]
-name = "Apache HTTPD Unknown Suffix Parsing"
+name = "Apache HTTPD Multiple Extension Parsing Vulnerability"
 cve = []
 app = "Apache HTTP Server"
 path = "httpd/apache_parsing_vulnerability"
 
 [[environment]]
-name = "Apache SSI Remote Command Execution"
+name = "Apache HTTP Server SSI Remote Command Execution"
 cve = []
 app = "Apache HTTP Server"
 path = "httpd/ssi-rce"

httpd/CVE-2017-15715/README.md

@@ -1,28 +1,35 @@
-# Apache HTTPD 换行解析漏洞（CVE-2017-15715）
+# Apache HTTPD Newline Parsing Vulnerability (CVE-2017-15715)
 
-Apache HTTPD是一款HTTP服务器，它可以通过mod_php来运行PHP网页。其2.4.0~2.4.29版本中存在一个解析漏洞，在解析PHP时，`1.php\x0A`将被按照PHP后缀进行解析，导致绕过一些服务器的安全策略。
+[中文版本(Chinese version)](README.zh-cn.md)
 
-## 漏洞环境
+Apache HTTPD is a widely-used HTTP server that can run PHP web pages through mod_php. A parsing vulnerability exists in versions 2.4.0 through 2.4.29, where a filename ending with `1.php\x0A` will be treated as a PHP file, allowing attackers to bypass certain server security policies.
 
-编译及运行漏洞环境：
+References:
+
+- <https://httpd.apache.org/security/vulnerabilities_24.html>
+- <https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html>
+
+## Environment Setup
+
+Execute the following commands to build and start a vulnerable Apache HTTPD server:
 
 ```
 docker compose build
 docker compose up -d
 ```
 
-启动后Apache运行在`http://your-ip:8080`。
+After the server is started, Apache will be running at `http://your-ip:8080`.
 
-## 漏洞复现
+## Vulnerability Reproduction
 
-上传一个名为1.php的文件，被拦截：
+First, try to upload a file named `1.php`. The upload will be blocked by the security check:
 
-![](1.png)
+![Upload blocked by security check](1.png)
 
-在1.php后面插入一个`\x0A`（注意，不能是`\x0D\x0A`，只能是一个`\x0A`），不再拦截：
+However, if we append a `\x0A` (note: must be `\x0A` alone, not `\x0D\x0A`) to the filename `1.php`, the upload will succeed:
 
-![](2.png)
+![Successful upload with newline character](2.png)
 
-访问刚才上传的`/1.php%0a`，发现能够成功解析，但这个文件不是php后缀，说明目标存在解析漏洞：
+When accessing the uploaded file at `/1.php%0a`, it will be successfully parsed as a PHP file, despite not having a proper PHP extension. This confirms the existence of the parsing vulnerability:
 
-![](3.png)
+![Successful PHP execution](3.png)

httpd/CVE-2017-15715/README.zh-cn.md

@@ -0,0 +1,35 @@
+# Apache HTTPD 换行符解析漏洞（CVE-2017-15715）
+
+[English](README.md)
+
+Apache HTTPD 是一个广泛使用的 HTTP 服务器，可以通过 mod_php 模块来运行 PHP 网页。在其 2.4.0 到 2.4.29 版本中存在一个解析漏洞，当文件名以 `1.php\x0A` 结尾时，该文件会被按照 PHP 文件进行解析，这使得攻击者可以绕过服务器的一些安全策略。
+
+参考链接：
+
+- <https://httpd.apache.org/security/vulnerabilities_24.html>
+- <https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html>
+
+## 环境搭建
+
+执行如下命令来编译并启动漏洞环境：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，Apache 将运行在 `http://your-ip:8080`。
+
+## 漏洞复现
+
+首先，尝试上传一个名为 `1.php` 的文件，可以看到上传被安全检查拦截：
+
+![上传被安全检查拦截](1.png)
+
+但是，如果我们在文件名 `1.php` 后面添加一个 `\x0A`（注意：必须是单独的 `\x0A`，而不是 `\x0D\x0A`），上传就会成功：
+
+![使用换行符成功上传](2.png)
+
+当访问上传的文件 `/1.php%0a` 时，虽然该文件没有正确的 PHP 扩展名，但它会被成功解析为 PHP 文件。这证实了解析漏洞的存在：
+
+![成功执行 PHP 代码](3.png)

httpd/apache_parsing_vulnerability/README.md

@@ -1,36 +1,40 @@
-# Apache HTTPD 多后缀解析漏洞
+# Apache HTTPD Multiple Extension Parsing Vulnerability
 
-Apache HTTPD 支持一个文件拥有多个后缀，并为不同后缀执行不同的指令。比如，如下配置文件：
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTPD is a widely-used HTTP server that can run PHP web pages through mod_php. This vulnerability is related to how Apache HTTPD handles files with multiple extensions.
+
+Apache HTTPD supports files having multiple extensions, with different directives being executed for each extension. When misconfigured, this feature can lead to security vulnerabilities where malicious files bypass upload restrictions. For example, with the following configuration:
 
 ```
 AddType text/html .html
 AddLanguage zh-CN .cn
+AddHandler application/x-httpd-php .php
 ```
 
-其给`.html`后缀增加了media-type，值为`text/html`；给`.cn`后缀增加了语言，值为`zh-CN`。此时，如果用户请求文件`index.cn.html`，他将返回一个中文的html页面。
-
-以上就是Apache多后缀的特性。如果运维人员给`.php`后缀增加了处理器：
+The server will process multiple extensions from left to right, and if any extension is configured to be handled by a specific handler (like PHP), it will be executed regardless of its position in the filename. This means a file named `malicious.php.jpg` would still be executed as PHP code, potentially bypassing upload restrictions that only check the final extension.
 
-```
-AddHandler application/x-httpd-php .php
-```
+References:
 
-那么，在有多个后缀的情况下，只要一个文件含有`.php`后缀的文件即将被识别成PHP文件，没必要是最后一个后缀。利用这个特性，将会造成一个可以绕过上传白名单的解析漏洞。
+- [Apache HTTP Server Documentation - MultiViews](https://httpd.apache.org/docs/current/content-negotiation.html#multiviews)
+- [OWASP File Upload Vulnerabilities](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
 
-## 漏洞环境
+## Environment Setup
 
-运行如下命令启动一个稳定版Apache，并附带PHP 7.3环境：
+Execute the following command to start an Apache server with PHP 7.3 environment:
 
 ```
 docker compose up -d
 ```
 
-## 漏洞复现
+## Vulnerability Reproduction
+
+First, visit `http://your-ip/uploadfiles/apache.php.jpeg` in your browser. You'll notice that despite having a `.jpeg` extension, the file is executed as PHP code and displays the phpinfo() page.
 
-环境运行后，访问`http://your-ip/uploadfiles/apache.php.jpeg`即可发现，phpinfo被执行了，该文件被解析为php脚本。
+To actively exploit this vulnerability, visit `http://your-ip/index.php` where you'll find a file upload interface with extension whitelist validation. The upload functionality only checks the final extension but doesn't rename the uploaded file. By uploading a file with multiple extensions like `shell.php.jpg` or `shell.php.jpeg`, we can bypass the extension check while ensuring the file is still executed as PHP code by Apache.
 
-`http://your-ip/index.php`中是一个白名单检查文件后缀的上传组件，上传完成后并未重命名。我们可以通过上传文件名为`xxx.php.jpg`或`xxx.php.jpeg`的文件，利用Apache解析漏洞进行getshell。
+![Upload Interface](1.png)
 
-![](1.png)
+After successful upload, accessing the file through the browser will execute the PHP code, demonstrating the vulnerability:
 
-![](2.png)
+![Vulnerability Proof](2.png)

httpd/apache_parsing_vulnerability/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Apache HTTPD 多后缀解析漏洞
+
+[English](README.md)
+
+Apache HTTPD 是一个广泛使用的开源Web服务器软件。这个漏洞与Apache HTTPD处理多后缀文件的机制有关。
+
+Apache HTTPD支持一个文件拥有多个后缀，并为不同后缀执行不同的指令。当配置不当时，这个特性可能导致安全漏洞，使恶意文件绕过上传限制。例如，以下配置：
+
+```
+AddType text/html .html
+AddLanguage zh-CN .cn
+AddHandler application/x-httpd-php .php
+```
+
+服务器会从左到右处理多个后缀，如果任何后缀被配置为由特定处理器（如PHP）处理，那么无论该后缀在文件名中的位置如何，都会被执行。这意味着一个名为`malicious.php.jpg`的文件仍然会被作为PHP代码执行，从而可能绕过仅检查最后一个后缀的上传限制。
+
+参考链接：
+
+- [Apache HTTP Server文档 - MultiViews](https://httpd.apache.org/docs/current/content-negotiation.html#multiviews)
+- [OWASP文件上传漏洞](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+
+## 环境搭建
+
+执行以下命令启动一个包含PHP 7.3环境的Apache服务器：
+
+```
+docker compose up -d
+```
+
+## 漏洞复现
+
+首先，在浏览器中访问`http://your-ip/uploadfiles/apache.php.jpeg`。你会发现，尽管文件具有`.jpeg`后缀，但它被作为PHP代码执行并显示了phpinfo()页面。
+
+要主动利用这个漏洞，访问`http://your-ip/index.php`，你会看到一个带有后缀白名单验证的文件上传界面。上传功能只检查最后一个后缀，且不会重命名上传的文件。通过上传具有多个后缀的文件（如`shell.php.jpg`或`shell.php.jpeg`），我们可以绕过后缀检查，同时确保文件被Apache作为PHP代码执行。
+
+![上传界面](1.png)
+
+成功上传后，通过浏览器访问该文件将执行PHP代码，证实了漏洞的存在：
+
+![漏洞证明](2.png)

httpd/apache_parsing_vulnerability/docker-compose.yml

@@ -1,11 +1,10 @@
-version: '2'
 services:
  apache:
-   image: php:apache
+   image: php:7.3-apache
    volumes:
     - ./www:/var/www/html
     - ./conf/docker-php.conf:/etc/apache2/conf-enabled/docker-php.conf
     - ./start.sh:/var/www/start.sh
    command: /bin/sh /var/www/start.sh
    ports:
-    - "80:80"
+    - "80:80"

httpd/ssi-rce/README.md

@@ -1,32 +1,36 @@
-# Apache SSI 远程命令执行漏洞
+# Apache HTTP Server SSI Remote Command Execution
 
-在测试任意文件上传漏洞的时候，目标服务端可能不允许上传php后缀的文件。如果目标服务器开启了SSI与CGI支持，我们可以上传一个shtml文件，并利用`<!--#exec cmd="id" -->`语法执行任意命令。
+[中文版本(Chinese version)](README.zh-cn.md)
 
-参考链接：
+Apache HTTP Server with Server Side Includes (SSI) enabled allows server-side execution of commands through special SSI directives in HTML files. When misconfigured, this feature can be exploited through file upload vulnerabilities.
 
-- https://httpd.apache.org/docs/2.4/howto/ssi.html
-- https://www.w3.org/Jigsaw/Doc/User/SSI.html
+When testing arbitrary file upload vulnerabilities, the target server might block files with PHP extensions. However, if the server has SSI and CGI support enabled, attackers can upload an SHTML file and execute arbitrary commands using the `<!--#exec cmd="command" -->` syntax.
 
-## 漏洞环境
+References:
 
-运行一个支持SSI与CGI的Apache服务器：
+- [Apache SSI Documentation](https://httpd.apache.org/docs/2.4/howto/ssi.html)
+- [W3 SSI Directives](https://www.w3.org/Jigsaw/Doc/User/SSI.html)
+
+## Environment Setup
+
+Execute the following command to start an Apache HTTP Server with SSI and CGI support:
 
 ```
 docker compose up -d
 ```
 
-环境启动后，访问`http://your-ip:8080/upload.php`，即可看到一个上传表单。
+After the server is started, visit `http://your-ip:8080/upload.php` to access the upload form.
 
-## 漏洞复现
+## Vulnerability Reproduction
 
-正常上传PHP文件是不允许的，我们可以上传一个shell.shtml文件：
+While uploading PHP files is not allowed, we can upload a file named `shell.shtml` with the following content:
 
 ```shtml
 <!--#exec cmd="ls" -->
 ```
 
-![](1.png)
+![Upload Interface](1.png)
 
-成功上传，然后访问shell.shtml，可见命令已成功执行：
+After successful upload, visiting the shell.shtml file will execute the command, demonstrating the vulnerability:
 
-![](2.png)
+![Command Execution Result](2.png)

httpd/ssi-rce/README.zh-cn.md

@@ -0,0 +1,34 @@
+# Apache HTTP Server SSI 远程命令执行漏洞
+
+Apache HTTP Server 开启了服务器端包含（SSI）功能时，允许通过特殊的SSI指令在HTML文件中执行服务器端命令。当配置不当时，这个功能可能被通过文件上传漏洞利用。
+
+在测试任意文件上传漏洞时，目标服务器可能会禁止上传PHP后缀的文件。但是，如果服务器开启了SSI和CGI支持，攻击者可以上传一个SHTML文件，并使用 `<!--#exec cmd="命令" -->` 语法执行任意命令。
+
+参考链接：
+
+- [Apache SSI 文档](https://httpd.apache.org/docs/2.4/howto/ssi.html)
+- [W3 SSI 指令](https://www.w3.org/Jigsaw/Doc/User/SSI.html)
+
+## 环境搭建
+
+执行以下命令启动一个支持SSI和CGI的Apache服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080/upload.php` 即可看到上传表单界面。
+
+## 漏洞复现
+
+虽然上传PHP文件是被禁止的，但我们可以上传一个名为 `shell.shtml` 的文件，内容如下：
+
+```shtml
+<!--#exec cmd="ls" -->
+```
+
+![上传界面](1.png)
+
+成功上传后，访问shell.shtml文件，可以看到命令已被执行，证实了漏洞的存在：
+
+![命令执行结果](2.png)