How can we help?
Apache has released a fix for a path traversal vulnerability (CVE-2021-41773) in their web server.
Their advisory describes it as a “file disclosure” issue but the exploitability of this bug actually depends on the server configuration.
With default settings, an attacker could use it to read files stored outside of the usual hosted directory.
If mod-cgi is enabled it can be used to execute binaries on the server.
Proof of Concept code is already being shared on Twitter.
By default, the bug would allow a remote attacker to read files from the server outside of the hosted directory.
This could be used to leak sensitive information such as credentials, environmental info or source code for the website.
If mod-cgi is enabled then a remote attacker could execute code on the server.
The running version of Apache is sent in an HTTP header by default so this can be detected remotely by looking at an HTTP request.
`curl –head yourwebsite.com`
Apache HTTP Server 2.4.49
Containment, Mitigations & Remediations
Indicators of Compromise
Exploitation attempts will be recorded in the web request logs.
Check for the string `/%2e%2e/`
At the time of writing, (Shodan shows) 100,000 vulnerable machines connected to the Internet.
-T1190 – Exploit Public-Facing Application