Bug was inadvertently introduced in last month’s security release
UPDATED Web admins are urged to protect against a high-impact path traversal vulnerability in the latest version of Apache Server that is being exploited in the wild.
These security issues were patched in version 2.4.49, however this update has since been found to have introduced a new vulnerability.
In a security advisory yesterday (October 5), Apache developers said that a flaw was found in changes made to the path normalization process in the open source web server software.
Data leak warning
“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the Apache advisory warns.
“If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.”
Apache has patched the issue in version 2.4.50, and web admins are encouraged to apply the fix as soon as possible.
Today (October 5), researchers from PT Swarm said that they have managed to reproduce the issue. Despite requests to the contrary, the researchers kept their proof-of concept under wraps.
The team took to Twitter to announce that they had successfully exploited the bug, adding: “Patch ASAP!”
Since this, other social media users have shared their proof of concepts (PoCs) on Twitter, including a full guide from Hacker Fantastic on how the bug works.
“Patch urgently,” the Twitter account advised.
A blog from Sonatype reported that more than 112,000 Apache servers across the globe were running the vulnerable version, adding that about 40% of these were located in the US.
Apache said that the vulnerability was disclosed by security researcher Ash Daulton and cPanel Security.
The Daily Swig has contacted cPanel Security and PT Swarm for more information and will update this article if and when more information comes to hand.
This article has been updated to include more information.