### [CVE-2011-0419](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

### POC

#### Reference
- http://securityreason.com/achievement_securityalert/98
- http://securityreason.com/securityalert/8246
- http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
- http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

#### Github
- https://github.com/8ctorres/SIND-Practicas
- https://github.com/ARPSyndicate/cvemon
- https://github.com/DButter/whitehat_public
- https://github.com/Dokukin1/Metasploitable
- https://github.com/GiJ03/ReconScan
- https://github.com/Iknowmyname/Nmap-Scans-M2
- https://github.com/Live-Hack-CVE/CVE-2011-0419
- https://github.com/MrFrozenPepe/Pentest-Cheetsheet
- https://github.com/NikulinMS/13-01-hw
- https://github.com/RoliSoft/ReconScan
- https://github.com/SecureAxom/strike
- https://github.com/Zhivarev/13-01-hw
- https://github.com/issdp/test
- https://github.com/kasem545/vulnsearch
- https://github.com/matoweb/Enumeration-Script
- https://github.com/rameel12/Entity-Extraction-Using-Syntaxnet
- https://github.com/smabramov/Vulnerabilities-and-attacks-on-information-systems
- https://github.com/xxehacker/strike
- https://github.com/zzzWTF/db-13-01