CVE-2024-39884: Apache HTTP Server 2.4.60 - Regression in Legacy Content-Type Configuration Handling Leading to Source Code Disclosure

CVE-2024-39884 highlights a regression issue in the core of Apache HTTP Server 2.4.60 that can lead to disclosure of local content, such as source code, in PHP scripts. The issue is a result of Apache ignoring certain uses of legacy content-type based configuration for handlers, including "AddType" configuration. This vulnerability affects systems where files are requested indirectly, exposing sensitive information that could lead to exploitation.

Exploit Details

The vulnerability exists in Apache HTTP Server 2.4.60 when handling legacy content-type based configurations, such as "AddType". Under certain circumstances, such as when files are requested indirectly, the server may ignore this configuration and serve the source code instead of interpreting it. As a result, attackers can potentially access and view the PHP script source code, revealing sensitive data and critical system information.

Consider the following Apache HTTP Server configuration

AddType application/x-httpd-php .php

With this configuration, requests to PHP files should be processed as PHP scripts. However, due to the regression issue in Apache HTTP Server 2.4.60, the server may ignore this directive for some indirect requests, causing the PHP source code to be served instead.

Links to Original References

1. Apache HTTP Server official announcement and patch: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39884
2. CVE-2024-39884 details on NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-39884

Mitigation and Prevention

Users of Apache HTTP Server 2.4.60 are strongly recommended to upgrade to version 2.4.61, which contains a fix for this issue. This can be done by following the official download and installation instructions provided by Apache, available here: https://httpd.apache.org/download.cgi

In addition to upgrading, users should review their server configurations and ensure that proper access controls and security measures are in place to minimize any potential impact from vulnerabilities.

Conclusion

CVE-2024-39884 is a serious regression issue in Apache HTTP Server 2.4.60. By ignoring certain uses of legacy content-type based configurations, the server may unintentionally disclose the source code of PHP scripts to attackers under specific circumstances. It is crucial for users to upgrade their systems to version 2.4.61 and follow recommended security practices to protect their critical data and systems.

Timeline

Published on: 07/04/2024 09:15:04 UTC
Last modified on: 07/17/2024 21:15:11 UTC