Introduction:

Among the open-source HTTP servers of the Apache Foundation, “Apache HTTP Server” is a very popular one. A directory traversal vulnerability exists in version 2.4.49 of “Apache HTTP Server” known as CVE-2021-41773. Although Apache officials quickly patched this vulnerability and released a new version 2.4.50, this vulnerability fix is incomplete. CVE-2021-42013 is a patch bypass vulnerability for CVE-2021-41773.

What is affected

Apache servers running version 2.4.49 and 2.4.50. Attackers exploit the CVE-2021-42013 vulnerability to compromise Apache servers. Attackers can successfully read other files (files that do not exist in the Web directory) and the source code of files in the Web directory. At the same time, the attacker can execute arbitrary commands when the server has the CGI or CGID service enabled.

Severity Score

In NATIONAL VULNERABILITY DATABASE, this vulnerability has a score of 9.8. This indicates that this vulnerability is a high-severity vulnerability.

How to fix

Users need to upgrade to a secure version of Apache HTTP Server. This vulnerability affects Apache HTTP Server 2.4.49 and 2.4.50. Users can download the latest version through the official website: https://httpd.apache.org/download.cgi

Reproducing the vulnerability

First we start the vulnerability environment containing “CVE-2021-42013”.

The website contains IP address and port 8080

This payload can directly access user-related information in the system without the user’s consent.

Once we enable mods cgi or cgid on the server, this vulnerability will allow an attacker to execute arbitrary commands

Payload example: