As a matter of urgency generated update of http-server Apache 2.4.50, which eliminated already actively exploited 0-day vulnerability ( the CVE-2021-41773 ), allowing you to access your files from areas outside the site root. The vulnerability can be used to load arbitrary system files and source texts of web scripts that are readable by the user under which the http server is running. The developers were notified of the problem on September 17, but were able to release the update only today, after cases of using the vulnerability to attack sites were recorded on the network.
The danger of the vulnerability mitigates the fact that the problem manifests itself only in the recently released version 2.4.49 and does not affect all earlier releases. The stable branches of conservative server distributions have not yet used the 2.4.49 release ( Debian , RHEL , Ubuntu , SUSE ), but the issue has affected continuously updated distributions such as Fedora , Arch Linux and Gentoo , as well as the FreeBSD ports .
The vulnerability is caused by an error , the brought in during the processing of the code for the normalization ways in the URI, because of which encoded by a sequence of “% 2e” symbol points are normalized in a way, if it was preceded by another point. Thus, it was possible to substitute uncleaned characters “../” in the resulting path by specifying the sequence “.% 2e /” in the request. For example, a request like “https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd” or “https://example.com/cgi-bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts ” allowed to get the contents of the file” / etc / passwd “.
The problem does not appear if access to directories is explicitly denied using the ” require all denied ” setting . For example, for partial protection, you can specify in the configuration file:
<Directory /> require all denied </Directory>
Apache httpd 2.4.50 also fixes another vulnerability (CVE-2021-41524) affecting the module with the implementation of the HTTP / 2 protocol. The vulnerability allowed initiating dereferencing of a null pointer by sending a specially designed request and causing the process to crash. This vulnerability also appears only in version 2.4.49. As a workaround, you can disable support for the HTTP / 2 protocol.
Addendum: a way to exploit the CVE-2021-41773 vulnerability to run your code on the server has been proposed :
curl --data "A = | id >> / tmp / x; uname \ $ IFS-a >> / tmp / x" 'http://127.0.0.1:8080/cgi-bin/.%2e/.% 2e /.% 2e /.% 2e / bin / sh '-vv