This past Monday, October 4th, Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 known as CVE-2021-41773. At the same time, update 2.4.50 was released, fixing this vulnerability. The vulnerability allows an attacker to bypass Path traversal protections, using encoding, and read arbitrary files on the webserver’s file system. Both Linux and Windows servers running this version of Apache are affected.
This vulnerability was introduced on 2.4.49, on a patch that aimed to improve performance in the validation of the URL. The new validation method could be bypassed by encoding the ‘.’ character. If the Apache webserver configuration is not set to “Require all denied”, the exploitation is relatively trivial. By encoding these characters and modifying an URL with the payload, a classic path traversal is possible.