Web admins are urged to protect against a high-impact path traversal vulnerability in the latest version of Apache Server that is being exploited in the wild.
As previously reported by The Daily Swig, the September update to Apache HTTP Server 2.4 fixed a number of issues, including server-side request forgery (SSRF) and request smuggling bugs.
These security issues were patched in version 2.4.49, however this update has since been found to have introduced a new vulnerability.
In a security advisory yesterday (October 5), Apache developers said that a flaw was found in changes made to the path normalization process in the open source web server software.
Data leak warning
“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the Apache advisory warns.
“If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.”
Apache has patched the issue in version 2.4.50, and web admins are encouraged to apply the fix as soon as possible.
Reproduction
Today (October 5), researchers from PT Swarm said that they have managed to reproduce the issue. Despite requests to the contrary, the researchers kept their proof-of concept under wraps.
The team took to Twitter to announce that they had successfully exploited the bug, adding: “Patch ASAP!”
A blog from Sonatype reported that more than 112,000 Apache servers across the globe were running the vulnerable version, adding that about 40% of these were located in the US.
Apache said that the vulnerability was disclosed by Ash Daulton of cPanel Security.
The Daily Swig has contacted cPanel Security and PT Swarm for more information and will update this article if and when more information comes to hand.
Source: https://portswigger.net/daily-swig/apache-http-server-devs-issue-fix-for-critical-data-leak-vulnerability-update-now
