Found a vulnerability in the Apache http server

Recently the news broke that found a new attack vector against the Apache http server, which remained unpatched in the 2.4.50 update and allows file access from areas outside of the site's root directory.

In addition, the researchers have found a way that, in the presence of certain configurations non-standard, not only read the system files, but also run remotely your code on the server.

CVE-2021-41773 on Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside of directories configured by directives similar to Aliases. If files outside of these directories are not protected by the usual default "require all denied" settings, these requests may be successful. If CGI scripts are also enabled for these aliased patches, this could allow remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

In essence, the new problem (already listed as CVE-2021-42013) it is completely similar to the original vulnerability (CVE-2021-41773) at 2.4.49, the only difference is in a different character encoding.

And it is that in particular, in version 2.4.50 the possibility of using the sequence "% 2e" was blocked to encode a point, but yese lost the possibility of double encoding: by specifying the sequence "%% 32% 65", the server decoded in "% 2e", and then in ".", ie The characters "../" to go to the previous directory can be encoded as ". %% 32% 65 / ».

Both CVEs are in fact almost the same path traversal vulnerability (the second is the incomplete fix for the first). Path traversal only works from a mapped URI (for example, via Apache "Alias" or "ScriptAlias" directives). DocumentRoot alone is not enough

Regarding the exploitation of a vulnerability through code execution, this is possible if mod_cgi is enabled and a base path is used in which CGI scripts are allowed to run (for example, if the ScriptAlias ​​directive is enabled or the ExecCGI flag is specified in the Options directive).

It is mentioned that a prerequisite for a successful attack is also to explicitly provide in the Apache configuration access to directories with executable files, such as / bin, or access to the FS root "/". Since such access is not normally provided, a code execution attack is of little use to real systems.

At the same time, the attack on obtaining file content arbitrary system codes and source texts of web scripts that are available for user reading under which the http server is running is still relevant. To carry out such an attack, simply have a directory on the site configured using the "Alias" or "ScriptAlias" directives (DocumentRoot is not enough), such as "cgi-bin".

In addition to this, he mentions that the problem mainly affects continuously updated distributions (Rolling Releases) such as Fedora, Arch Linux and Gentoo, as well as FreeBSD ports.

While Linux distributions that are based on stable branches of server distributions such as Debian, RHEL, Ubuntu and SUSE are not vulnerable. The problem does not appear if access to directories is explicitly denied using the »require all denied« setting.

It is also worth mentioning that On October 6-7, Cloudflare recorded more than 300 attempts to exploit the vulnerability CVE-2021-41773 per day. Most of the time, as a result of automated attacks, they request the content of "/cgi-bin/.%2e/.git/config", "/cgi-bin/.%2e/app/etc/local.xml" , "/Cgi-bin/.% 2e / app / etc / env.php" and "/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd".

The problem only manifests in versions 2.4.49 and 2.4.50, previous versions of the vulnerability are not affected. To fix the new variant of the vulnerability, the Apache httpd 2.4.51 release was quickly formed.

Finally If you are interested in knowing more about it, you can check the details In the following link.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.