Apache HTTP Server Path Traversal and Remote Code Execution

On October 4th, Apache released HTTP Server 2.4.50 for the fixing of CVE-2021-41773 found on HTTP Server 2.4.49.

This vulnerability allows an attacker using the encoding to bypass the Path traversal protections and read arbitrary files on the web server’s file system.

The vulnerability affects both Windows and Linux servers running this version of Apache.

CVE-2021-41773 has been exploited in the wild as a zero-day. The vulnerability was disclosed to the Apache HTTP Server Project on September 29 by Ash Daulton and the cPanel Security Team.

At the initial time of discovery, the advisory acknowledged the vulnerability as an informational disclosure bug.

But after some research it was found that while mod_cgi is enabled, the vulnerability can be used for remote code execution. mod_cgi is not enabled by default in the Apache Server HTTP configuration.

With mod_cgi enabled, the attacker can execute payloads via HTTP POST requests. They tried to fix on version 2.4.50 but that was again able to be bypassed and assigned to CVE-2021-42013.

How to prevent the vulnerability

The recommended mitigation is to update to HTTP Server version 2.4.51.The version 2.4.50 doesn’t fully address CVE-2021-41773.

Latest Articles