Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 7 Oct 2021 06:01:43 +0000
From: "Tim Wadhwa-Brown (twadhwab)" <>
To: "" <>
Subject: RE: CVE-2021-41773: Path traversal and file disclosure
 vulnerability in Apache HTTP Server 2.4.49 

Hi oss-security folks,

Closing the loop on this one. Will Dormann, Hacker Fantastic and I successfully managed to turn this into RCE on both Windows and Linux. With mod_cgi (and maybe other similar extensions) enabled, Will showed he could get calc to pop on Windows and HF and I subsequently figured out how to trigger the bug on Linux to reach /bin/sh and POST a shell payload. Whilst the configuration may not be default it's probably worth doubling down on any efforts to get the patch rolled out if you're affected. There's a whole series of Twitter that I shan't bore you with but should be a good starting point if you want to read back.


PS Apologies for any email mangling, first time posting here in quite some time and sadly corporate mail client is no longer KMail ☹. Not sure if it will become a regular habit again.

Tim Wadhwa-Brown
Security Research Lead, CX Technology & Transformation Group
Tel: +44 208 824 0239
Mail Stop UXB10/3
82 Oxford Road,
UB8 1UX,
United Kingdom |

-----Original Message-----
From: Stefan Eissing <> 
Sent: 05 October 2021 10:03
Subject: [oss-security] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 

Severity: important


A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.  

If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.  


This issue was reported by Ash Daulton along with the cPanel Security Team


Download attachment "PGP.sig" of type "application/pgp-signature" (822 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.