Apache HTTP Server path traversal

Added: 10/21/2021

Background

Apache HTTP Server is an HTTP server implementation for Linux and Windows.

Problem

A path traversal vulnerability allows remote attackers to execute arbitrary commands in certain configurations if CGI scripts are enabled.

Resolution

Upgrade to Apache HTTP Server 2.4.51 or higher.

References

https://httpd.apache.org/security/vulnerabilities_24.html

Limitations

Exploit works on Linux targets. CGI scripts must be enabled for the /cgi-bin/ path in order for this exploit to succeed. Targets that have the default "require all denied" configuration are not vulnerable.

Platforms

Linux

Back to exploit index