Apache HTTP Server Path Traversal and Remote Code Execution Vulnerability

A path traversal vulnerability allowing remote code execution has been identified in Apache HTTP Server versions 2.4.49 and 2.4.50. The issue arises from an insufficient fix for a previous vulnerability (CVE-2021-41773), which allowed attackers to map URLs to files outside the designated directories. If these files are not protected by the default 'require all denied' configuration, the requests can succeed. The vulnerability is particularly concerning when CGI scripts are enabled for the affected paths, as it could lead to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for unauthorized access to files outside the document root, and if CGI scripts are enabled, it could result in remote code execution.

Reproduction

To reproduce this vulnerability, send a request to the server's 'cgi-bin' directory that includes a path traversal payload. This can be done by encoding the traversal characters and appending them to the request. If the server is configured to allow such requests and CGI scripts are enabled, the traversal will succeed and the requested file will be executed.

Remediation

Users are advised to update Apache HTTP Server to version 2.4.51 or later, where this vulnerability has been fixed.