Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Apache

Apache Fixes Actively Exploited Web Server Zero-day (therecord.media) 34

The Apache Software Foundation has released a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild. From a report: Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization). "An attacker could use a path traversal attack to map URLs to files outside the expected document root," the ASF team said in the Apache HTTP Server 2.4.50 changelog. "If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts," Apache engineers added. More than 120,000 servers currently exposed online to attacks.
This discussion has been archived. No new comments can be posted.

Apache Fixes Actively Exploited Web Server Zero-day

Comments Filter:
  • Oh, great. I literally just set up a server with that version (it was the current version last week).

    • Seems to me that directory traversal bugs should be top of mind when doing QA on a web server.

      • Using such a powerful, full-blown web server, proxy, authentication tool, and other service provider is popular but remains dangerous. Smaller tools, with smaller attack survaces and well defined API's among their components, remain more robust and safer. Apache was veryeffective when first published, but as it became "httpd" its' grace and simplicity were lost in favor of unnecessary and unwelcome features which have become awkward to disable.

    • Update: Half an hour wasted because this line works in Apache 2.4.49 (and previous versions) but not in 2.4.50

      # PHP plugin
      LoadModule php_module "C:/apache24/php-8.0.11/php8apache2_4.dll"

      Clue: Remove the quotes from around the file name

      • by rduke15 ( 721841 )

        According to the linked article, it does NOT work on previous versions. I have 2.4.38. And indeed, if I try the example from a tweet in the article:
        curl "https://my.example.com/whatever/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd"
        I just get

        <title>400 Bad Request</title> ...
        <h1>Bad Request</h1>
        <p>Your browser sent a request that this server could not understand. ...

  • "More than 120,000 servers currently exposed online to attacks."

    Do the editors here actually DO anything?

    • by Anonymous Coward

      Do the editors here actually DO anything?

      This your first time reading slashdot?

    • I think the slashdot editors do something like this:

      1. Get high.
      2. Eat Munchies.
      3. Click Approve.
      4. Repeat.

  • Aren't containers supposed to avoid all that shit in the first place?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No.

      • Containers are a symptom of dependency hell. Too many libraries and a development environment so convoluted that only the author can recreate it. So instead of fixing the problem it's now managed by containers.

        • I'm merely talking about access to files outside of a context. This URL normalization business would have no effect if it ended up pointing to something outside the container.

          That's my understanding of what containers were originally designed for - restricted usage of system resources.

Dennis Ritchie is twice as bright as Steve Jobs, and only half wrong. -- Jim Gettys

Working...