After a recent partial fix for CVE-2024-39884 in Apache HTTP Server 2.4.61, it has been discovered that the update did not entirely address the vulnerability. The core of Apache HTTP Server 2.4.61 still neglects some use of the legacy content-type based configuration of handlers, leading to the potential disclosure of local content, such as PHP scripts, instead of interpreting them. In this long read, we will discuss the issue, provide a code snippet demonstrating the vulnerability, link to the original references, and provide details on the exploit as well as the solution. Users are strongly recommended to upgrade to Apache HTTP Server 2.4.62, which effectively resolves this issue.

Details and Exploit

The partial fix for CVE-2024-39884 focused on content-type based configuration using "AddType" and similar directives. Under specific circumstances, particularly when files are requested indirectly, the fix may result in the source code disclosure of local content. An attacker could take advantage of this situation to access sensitive information or cause harm to the web server.

Consider the following code snippet that demonstrates the vulnerability

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

AddType application/x-httpd-php .php

When a PHP script is requested separately, it will usually be executed as intended. However, if the request is indirect, the server might serve the PHP script's source code instead of executing it. This could lead to a potential leak of sensitive information.

One possible scenario where this exploit may be used is in conjunction with Local File Inclusion (LFI) attacks. A threat actor could use the LFI vulnerability to craft a specific HTTP request that forces the server to reveal the source code of the PHP scripts.

References

For more information on this vulnerability, as well as other details of the initial partial fix, consult the following resources:

- Apache HTTP Server Official Security Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
- Original CVE entry for CVE-2024-39884: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39884
- Technical analysis of the vulnerability by a security researcher: https://example.com/technical-analysis (Replace with a valid link to a researcher's analysis)

Solution

To fully mitigate the risks of this vulnerability, users are encouraged to upgrade their Apache HTTP Server installations to version 2.4.62. This new version includes a fix for CVE-2024-40725, ensuring that the source code disclosure issue is effectively addressed.

You can download the latest version of Apache HTTP Server here: https://httpd.apache.org/download.cgi

Additionally, it is recommended to review your server configuration and remove any legacy content-type based configurations that could potentially lead to similar issues in the future.

In conclusion, the partial fix of CVE-2024-40725 in Apache HTTP Server 2.4.61 may inadvertently result in source code disclosure under certain circumstances. Users should upgrade to version 2.4.62 to effectively resolve the issue and review their server configurations for any potential risks.

Timeline

Published on: 07/18/2024 10:15:02 UTC
Last modified on: 08/22/2024 17:13:09 UTC