After disclosing flaws in version 2.4.49 of the HTTP web server, the Apache Foundation has come up with fixes. Problem, one of the patches is incomplete and the association was urgently obliged to correct the fault correctly.
Do not confuse speed with haste. The Apache Foundation may have been a little hasty in announcing the availability of patches to close two flaws discovered in the HTTP web server (open source and cross-platform which powers about 25% of websites in the world). The problem is that one of these fixes doesn’t completely close the most critical hole.
The latter is listed as CVE-2021-41773 and causes so-called directory traversal attacks. It consists of sending requests to access back-end or sensitive server directories that should be out of reach. Normally these requests are blocked, but in this case the filters are bypassed by using encoded characters (ASCII) for the URLs. Additionally, exploiting this flaw can lead to data exfiltration and to obtain source code of interpreted files such as CGI scripts.
A new version to install urgently
After releasing version 2.4.50 patching the previous one, the Apache Foundation “found that patching the patch for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker can use a directory traversal attack to map URLs to files outside of directories configured by Alias directives.
This new vector is known as CVE-2021-42013 and it was leaked by Juan Escobar of Dreamlab Technologies, Fernando Muñoz of NULL Life CTF Team, and Shungo Kumasaka. The CISA (American cert) has issued an alert on the risks of rapid exploitation of this vector. The foundation has therefore released version 2.4.51 of the HTTP web server to properly close the flaw and eliminate the various attack vectors. Administrators are strongly advised to update their solution promptly.