😶 APACHE HTTP SERVER 2.4.49

Path traversal and file disclosure vulnerability

• A flaw was found in a change made to path normalization
• Version affected ⇒ 2.4.49 only
• More than 120,000 are exposed to Attack.

Shodan Search

• If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts
• Patch available ⇒ 2.4.50

REQUIRED CONFIGURATION

🙄 The bug is remote command / code execution under the vulnerable condition and when certain Apache modules are enabled ( MOD-CGI)

PATCH

PAYLOADS

LABS SETUPS 👇