Apache Fixes Actively Exploited Web Server Zero-day

The Apache Software Foundation has released a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild. From a report: Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization). "An attacker could use a path traversal attack to map URLs to files outside the expected document root," the ASF team said in the Apache HTTP Server 2.4.50 changelog. "If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts," Apache engineers added. More than 120,000 servers currently exposed online to attacks.

Great....

[Joce640k]

Oh, great. I literally just set up a server with that version (it was the current version last week).

Re:

[The-Ixian]

Seems to me that directory traversal bugs should be top of mind when doing QA on a web server.

Re:

[Antique Geekmeister]

Using such a powerful, full-blown web server, proxy, authentication tool, and other service provider is popular but remains dangerous. Smaller tools, with smaller attack survaces and well defined API's among their components, remain more robust and safer. Apache was veryeffective when first published, but as it became "httpd" its' grace and simplicity were lost in favor of unnecessary and unwelcome features which have become awkward to disable.

Re:

[Joce640k]

Update: Half an hour wasted because this line works in Apache 2.4.49 (and previous versions) but not in 2.4.50

# PHP plugin
LoadModule php_module "C:/apache24/php-8.0.11/php8apache2_4.dll"

Clue: Remove the quotes from around the file name

Re:

[rduke15]

According to the linked article, it does NOT work on previous versions. I have 2.4.38. And indeed, if I try the example from a tweet in the article:
curl "https://my.example.com/whatever/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd"
I just get

<title>400 Bad Request</title> ...
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand. ...

Re:

[Joce640k]

Use the package manager and then make sure automatic updates are working.

On Windows?

Re:

[bustinbrains]

You are putting a Windows computer on the public Internet...

Why?

(That's a rhetorical question. If you want to run a public-facing web server, run a decent Linux server distro as the host OS and learn how to manage it properly. Running Windows, even Server editions, as a public web server is asking for all kinds of trouble.)

Re:

[Anonymous Coward]

Time to infection of a newly installed Windows machine on the Internet has been in the single minutes [slashdot.org], faster than Windows Update can run.

2020-2021 Windows survival time data:
https://web.archive.org/web/20... [archive.org]

Re:

[Joce640k]

Amazing. I ought not to even be able to type this...

Re:

[Joce640k]

run a decent Linux server distro as the host OS and learn how to manage it properly.

I can't be bothered.

Running Windows, even Server editions, as a public web server is asking for all kinds of trouble.)

I've done it for the last decade (or more) and nothing bad has ever happened.

Editing, maybe?

[NormalVisual]

"More than 120,000 servers currently exposed online to attacks."

Do the editors here actually DO anything?

Re:

[Anonymous Coward]

Do the editors here actually DO anything?

This your first time reading slashdot?

Re:

[awwshit]

I think the slashdot editors do something like this:

1. Get high.
2. Eat Munchies.
3. Click Approve.
4. Repeat.

Re:

[Joce640k]

Jealous?

Re:

[awwshit]

No. I skipped the parts about all of the fun troll issues on slashdot. I probably don't want to deal with slashdot's issues whether I'm high and fed or not.

Containers

[The Evil Atheist]

Aren't containers supposed to avoid all that shit in the first place?

Re:

[Anonymous Coward]

No.

Re:

[ArchieBunker]

Containers are a symptom of dependency hell. Too many libraries and a development environment so convoluted that only the author can recreate it. So instead of fixing the problem it's now managed by containers.

Re:

[The Evil Atheist]

I'm merely talking about access to files outside of a context. This URL normalization business would have no effect if it ended up pointing to something outside the container.

That's my understanding of what containers were originally designed for - restricted usage of system resources.

Re:

[The Evil Atheist]

My point is you don't want something fine-grained. You want, if at all possible, a whitelist of one directory. URLs pointing to anything outside that directory is considered non-existent. Fine-grained security is leaky security.

My understanding of containers is limited, but I was under the impression that containers can be limited to only allow access to specific directories. So if the application doesn't support whitelists well, or is buggy, then it still can't escape the container.

Re:

[The Evil Atheist]

Access by directory (tree) is more fine-grained than by entire container! :-)

It isn't. It's a full-lock down. It's very easy to audit - how many directories is accessible? One. Which one? That one. Job done. That's very course grained. No ifs, no buts.

so limiting the bad guy's access to just the container is still harmful.

But I'm asking if there are container implementations that can further limit access, not just to the container itself. Is there, like, something you can do with kernel namespaces that limits an application to ever only be able to access one directory specified on startup. Take it away from the server's responsibility entirely.

Re:

[The Evil Atheist]

I use the example of one directory as an extreme, geezus.

Not everything is meant to be taken literally.