Bug was inadvertently introduced in last month’s security release
UPDATED Web admins are urged to protect against a high-impact path traversal vulnerability in the latest version of Apache Server that is being exploited in the wild.
As previously reported by The Daily Swig, the September update to Apache HTTP Server 2.4 fixed a number of issues, including server-side request forgery (SSRF) and request smuggling bugs.
READ MORE Developers fix multitude of vulnerabilities in Apache HTTP Server
These security issues were patched in version 2.4.49, however this update has since been found to have introduced a new vulnerability.
In a security advisory yesterday (October 5), Apache developers said that a flaw was found in changes made to the path normalization process in the open source web server software.
Data leak warning
“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the Apache advisory warns.
“If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.”
Read more of the latest news about security vulnerabilties
Apache has patched the issue in version 2.4.50, and web admins are encouraged to apply the fix as soon as possible.
Reproduction
Today (October 5), researchers from PT Swarm said that they have managed to reproduce the issue. Despite requests to the contrary, the researchers kept their proof-of concept under wraps.
The team took to Twitter to announce that they had successfully exploited the bug, adding: “Patch ASAP!”
Since this, other social media users have shared their proof of concepts (PoCs) on Twitter, including a full guide from Hacker Fantastic on how the bug works.
“Patch urgently,” the Twitter account advised.
Other users including Rohit Gautam (@HackerGautum) and a researcher who posts under the handle @h4x0r_dz also released their PoCs online.
A blog from Sonatype reported that more than 112,000 Apache servers across the globe were running the vulnerable version, adding that about 40% of these were located in the US.
Apache said that the vulnerability was disclosed by security researcher Ash Daulton and cPanel Security.
The Daily Swig has contacted cPanel Security and PT Swarm for more information and will update this article if and when more information comes to hand.
This article has been updated to include more information.
