Apache HTTP Server Path Traversal and Remote Code Execution

Jijith Rajan
Published on
18 Oct 2021
1 min read
Code Execution

On October 4th, Apache released HTTP Server 2.4.50 for the fixing of CVE-2021-41773 found on HTTP Server 2.4.49.

This vulnerability allows an attacker using the encoding to bypass the Path traversal protections and read arbitrary files on the web server’s file system.

The vulnerability affects both Windows and Linux servers running this version of Apache.

CVE-2021-41773 has been exploited in the wild as a zero-day. The vulnerability was disclosed to the Apache HTTP Server Project on September 29 by Ash Daulton and the cPanel Security Team.

At the initial time of discovery, the advisory acknowledged the vulnerability as an informational disclosure bug.

But after some research it was found that while mod_cgi is enabled, the vulnerability can be used for remote code execution. mod_cgi is not enabled by default in the Apache Server HTTP configuration.

With mod_cgi enabled, the attacker can execute payloads via HTTP POST requests. They tried to fix on version 2.4.50 but that was again able to be bypassed and assigned to CVE-2021-42013.

How to prevent the vulnerability

The recommended mitigation is to update to HTTP Server version 2.4.51.The version 2.4.50 doesn’t fully address CVE-2021-41773.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.