Listen to this Post
How the CVE Works:
CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49. The flaw arises due to improper validation of URLs in the `ap_normalize_path()` function, allowing attackers to bypass security restrictions using crafted paths containing `./` sequences. If `mod_cgi` is enabled, remote attackers can execute arbitrary commands by sending malicious requests. The vulnerability exposes files outside the document root when the `require all denied` directive is misconfigured, leading to unauthorized access.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal
Severity: Critical
Date: 2021-10-05
Prediction: Patch by 2021-10-15
What Undercode Say:
curl -v "http://target.com/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
<Directory "/var/www/html"> Require all denied </Directory>
How Exploit:
- Craft HTTP requests with `.%2e/` sequences.
- Bypass path normalization to access
/etc/passwd. - Execute OS commands if `mod_cgi` is active.
Protection from this CVE:
- Upgrade to Apache 2.4.50.
- Disable `mod_cgi` if unused.
- Enforce strict `Require all denied` rules.
Impact:
- Remote code execution (RCE).
- Sensitive file disclosure.
- Server compromise.
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
