Skip to main content

cve-2021-41773-apache-path-traversal-via-ssrf

CVE-2021-41773: Apache Path Traversal via SSRF

CVE-2021-41773 is a path traversal vulnerability affecting Apache HTTP Server version 2.4.49.
This issue allows attackers to access arbitrary files on the server by bypassing path normalization using specially crafted URL encoding.

This vulnerability can lead to:

  • Sensitive file disclosure (e.g., /etc/passwd)
  • Source code leakage
  • Potential remote code execution in certain configurations

The issue exists because of improper validation of encoded paths, allowing traversal outside the intended web directory.

Root Cause

Apache failed to properly sanitize encoded traversal sequences such as:

.%2e/

This encoding bypasses the path normalization mechanism, allowing directory traversal even when access controls are configured.

Exploitation Technique

Path Traversal

Instead of using:

../

Attackers can use:

.%2e/

Example:

http://[TARGET]/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd

This allows access to sensitive system files.

SSRF + CVE-2021-41773

In this challenge, the vulnerability is exploited through Server-Side Request Forgery (SSRF).

Attack Flow:

  1. The attacker identifies an SSRF endpoint.
  2. The SSRF is used to send requests to an internal Apache server.
  3. The attacker injects traversal payloads.
  4. The internal Apache server processes the request and returns sensitive files.

Example SSRF payload:

http://vulnerable-app/?url=http://127.0.0.1/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd

This bypasses network restrictions and accesses internal services.