关联漏洞
标题:Apache HTTP Server 安全漏洞 (CVE-2021-42013)Description:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞,该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别
介绍
# CVE-2021-42013
This is the deployment for Apache 2.4.50 which associates with CVE-2021-42013 using Docker container.
## Description:
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
## Requirement:
Required atleast 1 CPU, 1GB RAM and 25GB Storage if using Digital Ocean's droplet. (Monthly around $5 only)
## Setup:
### Local File Inclusion:
```
docker-compose up --build -d
```
## Volumes:
## References:
- https://blogs.juniper.net/en-us/threat-research/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013
- https://nvd.nist.gov/vuln/detail/CVE-2021-42013
## License
Released under [MIT](/LICENSE) by [@ahmad4fifz](https://github.com/ahmad4fifz).
文件快照
[4.0K] /data/pocs/73bbac8a87ede20ac887193f6441be0351502096
├── [4.0K] apache
│ ├── [4.0K] conf
│ │ └── [ 20K] httpd.conf
│ ├── [ 852] Dockerfile
│ └── [4.0K] web
│ └── [1.2K] index.html
├── [ 330] docker-compose.yml
└── [1.3K] README.md
3 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →