As a matter of urgencyupdate of http-server Apache 2.4.50, which already actively exploited 0-day ( ), allowing you to access your files from areas outside the site root. The vulnerability can be used to load arbitrary system files and source texts of web scripts that are readable by the user under which the http server is running. The developers were notified of the problem on September 17, but were able to release the update only today, after cases of using the vulnerability to attack sites were recorded on the network.
The danger of the vulnerability mitigates the fact that the problem manifests itself only in the recently released version 2.4.49 and does not affect all earlier releases. The stable branches of conservative server distributions have not yet used the 2.4.49 release (, , , ), but the issue has affected continuously updated distributions such as , and , as well as .
The vulnerability is caused by, in during the the code for ways in the URI, because of which encoded by a sequence of “% 2e” symbol points are normalized in a way, if it was preceded by another point. Thus, it was possible to substitute uncleaned characters “../” in the resulting path by specifying the sequence “.% 2e /” in the request. For example, a request like “https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd” or “https://example.com/cgi-bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts ” contents of the file” / etc / passwd “.
The problem does not appear if access to directories is explicitly denied using the ”” setting . For example, for partial protection, you can specify in the configuration file:
<Directory /> require all denied </Directory>
Apache httpd 2.4.50 also fixes another(CVE-2021-41524) affecting the module with the implementation of the HTTP / 2 protocol. The vulnerability allowed initiating dereferencing of a null pointer by sending a specially designed request and causing the process to crash. This vulnerability also appears only in version 2.4.49. As a workaround, you can disable support for the HTTP / 2 protocol.
Addendum: a way to exploit the CVE-2021-41773 vulnerability to run your code on the server has been:
curl --data "A = | id >> / tmp / x; uname \ $ IFS-a >> / tmp / x" 'http://127.0.0.1:8080/cgi-bin/.%2e/.% 2e /.% 2e /.% 2e / bin / sh '-vv