The Apache HTTP Server is comprised of dozens of different modules, which are coupled together. While delving into the source by chance, we discovered that the coding style seemed a little bit... open? When a new HTTP request arrives, all modules uphold and maintain a colossal structure, collaborating in harmony to complete the request. While this cooperation might sound ideal, the reality reveals a significant challenge: the modules are not entirely familiar with each other, especially regarding the implementation details. However, they are asked to collaborate to fulfill the task. If any module has an incorrect understanding of any fields of this huge structure, it could potentially lead to fatal issues.

This observation led us to focus on interactions between modules, and discover this new attack surface. Let's see how a seemingly harmless structure modification can be passed through layers, amplifying the impact and affecting other modules to become vulnerabilities. This novel attack surface unearthed 3 distinct types of Confusion Attacks and 8 vulnerabilities, which allow us to navigate easily between Httpd modules, generating various attacks based on the different functionalities of modules: from the simplest arbitrary source code disclosure to bypassing ACL, and enabling unlimited SSRF. Of course, we won't forget about RCE, we will demonstrate how a long-underestimated bug type can be transformed into code execution by leveraging Httpd's internal features!