Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773)
What is the CVE-2021-41773 vulnerability?
Apache Software has released the fix for zero-day vulnerability in the Apache HTTP server affecting version 2.4.49 on 4th October 2021. The vulnerability was discovered by cPanel Security and is being actively exploited in the wild.
This flaw could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized users to access files outside the expected document root on the web server. The issue could also expose the source of interpreted files like CGI scripts, the advisory added, which may contain sensitive information that attackers could use for further attacks.
This zero-day vulnerability is now known to be leading to remote code execution provided the mod-cgi is enabled on the server as noted by Security Researcher Hacker Fantastic on Twitter.
What are the risks?
The Apache HTTP server is a popular open-source HTTP server for operating systems including Windows and *nix by Apache Software Foundation.
A Shodan search shows about 1,12,711 Apache HTTP servers that are running the vulnerable version. The vulnerability is applicable where the files outside of the document root are not protected by “require all denied”.
Multiple working exploits are already available in public, and no user authorization required to exploit the vulnerability makes the exploitation easy for a remote attacker.
The fix has been included in version 2.4.50 and released on 4th October 2021. We strongly advise customers to update their installations as soon as possible.
Restrict access to files outside the document root using “require all denied”.
Indusface Web Application Scanner (WAS) performs scan on the server and identifies this vulnerability through non-intrusive remote network test.
Indusface AppTrana/Total Application Security (TAS) platform protects against web application and web server vulnerabilities exploitation including this vulnerability.