Blog Home  »  Security Bulletin   »   Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773)
Managed WAF

Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773)

Posted DateOctober 18, 2021
Author Bio
Posted Time 2   min Read

What is the CVE-2021-41773 vulnerability?

Apache Software has released the fix for zero-day vulnerability in the Apache HTTP server affecting version 2.4.49 on 4th October 2021. The vulnerability was discovered by cPanel Security and is being actively exploited in the wild.

This flaw could allow path traversal and subsequent file disclosure. Path traversal issues allow unauthorized users to access files outside the expected document root on the web server. The issue could also expose the source of interpreted files like CGI scripts, the advisory added, which may contain sensitive information that attackers could use for further attacks.

This zero-day vulnerability is now known to be leading to remote code execution provided the mod-cgi is enabled on the server as noted by Security Researcher Hacker Fantastic on Twitter.

What are the risks?

The Apache HTTP server is a popular open-source HTTP server for operating systems including Windows and *nix by Apache Software Foundation.

A Shodan search shows about 1,12,711 Apache HTTP servers that are running the vulnerable version. The vulnerability is applicable where the files outside of the document root are not protected by “require all denied”.

Multiple working exploits are already available in public, and no user authorization required to exploit the vulnerability makes the exploitation easy for a remote attacker.

Mitigation

The fix has been included in version 2.4.50 and released on 4th October 2021. We strongly advise customers to update their installations as soon as possible.

Restrict access to files outside the document root using “require all denied”.

Indusface Web Application Scanner (WAS) performs scan on the server and identifies this vulnerability through non-intrusive remote network test.

Indusface AppTrana/Total Application Security (TAS) platform protects against web application and web server vulnerabilities exploitation including this vulnerability.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

 

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.