Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773)

Apache Software released patch for zero-day vulnerability in Apache HTTP Server affecting version 2.4.49 of 4and October 2021. The vulnerability was discovered by cPanel Security and is being actively exploited in the wild.

This flaw could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized users to access files outside of the expected document root on the web server. The issue could also expose the source of interpreted files like CGI scripts, the advisory adds, which may contain sensitive information that attackers could use for further attacks.

This zero-day vulnerability is now known to lead to remote code execution provided mod-cgi is enabled on the server, as noted by Security Researcher Hacker Fantastic on Twitter.

What are the risks ?

Apache HTTP Server is a popular open source HTTP server for operating systems including Windows and *nix by Apache Software Foundation.

A Shodan search shows around 1,12,711 Apache HTTP servers running the vulnerable version. The vulnerability applies when files outside the document root are not protected by “anything is denied”.

Several functional exploits are already publicly available, and no user permissions required to exploit the vulnerability make it easy for a remote attacker to exploit.

Mitigation

The fix was included in version 2.4.50 and released on October 4, 2021. We strongly advise customers to update their installations as soon as possible.

Restrict access to files outside the document root using “deny all”.

Indusface Web Application Scanner (WAS) performs a scan on the server and identifies this vulnerability through a non-intrusive remote network test.

AppTrana Industry/The Total Application Security (TAS) Platform protects against the exploitation of vulnerabilities in web applications and web servers, including this vulnerability.

The post Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773) appeared first on Indusface.

*** This is a syndicated blog from Indusface’s Security Bloggers Network written by Vivek Gopalan. Read the original post at: https://www.indusface.com/blog/apache-web-server-path-traversal-and-file-disclosure-vulnerability-cve-2021-41773/