The Apache HTTP Server is an open-source web server for Unix-like operating systems and Windows, providing a secure, customizable, and efficient service to host web pages and web applications. Recently, a critical vulnerability in Apache HTTP Server 2.4.59 and earlier versions has been discovered. This vulnerability is tracked under CVE-2024-38475, and it allows an attacker to map URLs to filesystem locations that should not be reachable by a user. In this post, we will discuss the details of this vulnerability, how it can be exploited, and how to mitigate its risks.

Problem Description

The issue lies in mod_rewrite, a module that provides a rule-based rewriting engine to rewrite requested URLs on the fly. It uses regular expressions to transform the requested URL, which makes it possible to create clean and readable URLs. However, improper escaping of output in mod_rewrite can lead to code execution or source code disclosure if an attacker maps URLs to filesystem locations that are permitted to be served by the server but are not intentionally or directly reachable by any URL.

Affected Functionality

Substitutions in the server context that use a backreferences or variables as the first segment of the substitution are affected. In other words, if the substitution starts with a backreference (such as $1) or a variable, the issue may be exploited. This means that some RewriteRules may not work as expected and might lead to potential vulnerabilities.

Here's an example of an unsafe RewriteRule

RewriteRule ^(.*)$ /path/to/web/files/$1

In this example, if the substitution is not appropriately constrained, an attacker may manipulate the URL to access restricted files or even execute code on the server by taking advantage of the backreference $1.

How to Mitigate the Risk

To address this vulnerability, administrators should update their Apache HTTP Server to version 2.4.60 or later. The updated version provides a new rewrite flag called "UnsafePrefixStat," which can be used after ensuring that the substitution is appropriately constrained.

An example of a safer RewriteRule that uses the "UnsafePrefixStat" flag

RewriteRule ^(.*)$ /path/to/web/files/$1 [UnsafePrefixStat]

To prevent the exploitation of this vulnerability, it is recommended to restrict the possible values of backreferences in RewriteRules. This can be achieved by using more specific regular expressions and tightening the rules for substitutions.

Original References & Additional Information

- Apache HTTP Server Advisory: CVE-2024-38475
- mod_rewrite Documentation: Apache HTTP Server
- Patch Release Notes: Apache HTTP Server 2.4.60 Changelog

Conclusion

CVE-2024-38475 is a critical vulnerability in Apache HTTP Server 2.4.59 and earlier that may lead to code execution or source code disclosure through improper output escaping in mod_rewrite. Administrators should update to version 2.4.60 or later, ensure proper constraining of substitutions, and use the new "UnsafePrefixStat" flag to mitigate risks. Additionally, it's essential to keep an eye on official advisories and updates to stay protected against new vulnerabilities and security threats.

Timeline

Published on: 07/01/2024 19:15:04 UTC
Last modified on: 07/12/2024 14:15:15 UTC