The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.
curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
The Day The Internet Stood Still
You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.
how much? https://t.co/fH0zXw7rV9
— jack (@jack) October 4, 2021
Facebook has put up a blog post with all the details, and Cloudflare has a nice write-up on security apache nightmare revil arrests ultimate rickroll
