Listen to this Post
How the CVE Works:
CVE-2021-41773 is a critical vulnerability in Apache HTTP Server 2.4.49, caused by improper path normalization. Attackers exploit a flaw in the `ap_normalize_path()` function, allowing traversal outside restricted directories using crafted URLs containing `../` sequences. If `mod_cgi` is enabled, this can lead to remote code execution (RCE) by executing malicious scripts. The vulnerability arises due to insufficient validation of URI-encoded characters, permitting attackers to bypass security checks and access sensitive files or execute arbitrary commands on the server.
DailyCVE Form:
Platform: Apache HTTP Server
Version: 2.4.49
Vulnerability: Path Traversal → RCE
Severity: Critical
Date: 2021-10-05
What Undercode Say:
Analytics:
- Affects default configurations of Apache 2.4.49.
- Exploitable via simple HTTP requests.
- Mitigation requires patching or configuration changes.
Exploit Command:
curl -v "http://target/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"
Protection Commands:
1. Update Apache:
sudo apt update && sudo apt upgrade apache2
2. Disable `mod_cgi` if unused:
LoadModule cgi_module modules/mod_cgi.so Comment this line
3. Restrict directory access:
<Directory "/var/www/html"> Require all denied </Directory>
Proof-of-Concept (PoC) Code:
import requests url = "http://target/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh" data = {"cmd": "id"} requests.post(url, data=data)
Mitigation Steps:
- Apply Apache patch 2.4.50+.
- Use WAF rules to block `/%2e%2e/` patterns.
- Audit logs for suspicious `../` or encoded sequences.
Log Analysis Command:
grep -r "\%2e\%2e" /var/log/apache2/
Impact:
- Unauthorized file disclosure.
- Remote shell access.
- Server compromise.
References:
- Apache Security Advisory
- NVD CVE-2021-41773
- MITRE ATT&CK T1190
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode