The Dataprise Blog

Apache Web Server Path Traversal Vulnerability: Dataprise Defense Digest

Oct 06, 2021 BY DATAPRISE

Apache Web Server Path Traversal Vulnerability: Dataprise Defense Digest

 

EXECUTIVE SUMMARY

Apache has issued a patch that addresses a zero day vulnerability in its HTTP web server project. Apache is an open-source web server for Unix and Windows that is among the most widely used web servers in the world. Successful exploitation could allow unauthorized users to trick the web server into returning files they should not be able to access, which could lead to further attacks or the compromise of data.

 

IMPACT

Attackers could use a path traversal attack to map URLs to files outside the expected document root, accessing unauthorized files.

 

DETAILED ANALYSIS

Apache has issued a patch for CVE-2021-41773 that addresses a vulnerability in its HTTP web server 2.4.49. This vulnerability allows attackers to map URLs to files outside the expected document root and could leak the “source of interpreted files like CGI scripts [1],” which can lead to further attacks.

This vulnerability affects all files outside of the document root that are not protected by the 'require all denied' setting.

Positive Technologies Offensive Team was able to reproduce the path traversal exploit, and posted this proof of concept on their Twitter account.

 

PT Offensive Team reproduces the path traversal exploit.

 

According to Tenable, “Just under 112,000 Apache HTTP Servers are running the vulnerable version.” Since version 2.4.49 was released just over 2 weeks ago, it’s likely that many admins have not yet updated their servers to this version. If this is the case, it is recommended to skip version 2.4.49 and patch directly to 2.4.50.

 

INDICATORS OF VULNERABILITY

Any Apache HTTP Servers running version 2.4.49 (this vulnerability does not affect older versions) are currently exposed.

Files outside of the document root not protected by ‘require all denied' are at risk.

 

MITIGATION

Apache Web Servers should be updated to version 2.4.50 immediately.

Administrators should protect files outside of the document root with ‘require all denied'.

 

SOURCES

 

AUTHORS

  • Daniel Mervis, Cyber Security Analyst
  • Samuel Bourgeois, vCISO
  • Stephen Jones, Senior Director Cybersecurity
Information Security
Want the latest IT insights? SUBSCRIBE