CVE CyberSecurity Database News

CVE-2024-38474 - Critical Substitution Encoding Flaw in Apache mod_rewrite — Exploit Deep Dive & Simple Fix

Poster -

---

TL;DR

CVE-2024-38474 is a dangerous substitution encoding bug in Apache HTTP Server’s mod_rewrite (versions 2.4.59 and earlier). Clever attackers can leverage certain RewriteRules to trick Apache into running scripts (CGI) or exposing their source code, even in directories that should be protected or inaccessible by normal URLs. If you're using mod_rewrite, you *must* update to 2.4.60 and review your rules. We'll show you how this works, how to protect yourself, and how you might get “pwned” if you don’t patch.

Quick Background: What Is mod_rewrite?

mod_rewrite is an Apache module that helps you rewrite URLs on the fly. It’s powerful, but with power comes risk—especially if your rules aren’t ironclad.

Example RewriteRule

RewriteEngine On
RewriteRule ^foo/(.*)$ /bar/$1 [L]

This moves anything from /foo/xyz to /bar/xyz.

This all happens if you use unsafe combinations in your RewriteRules.

Attackers do this by exploiting how %-encoding and ? (query parameters) are handled (“substitution encoding”). Apache’s URL normalization had cracks that let data slip through. Some encoded chars were *not* being interpreted correctly, breaking assumptions about what’s safe.

Suppose you have a site with the following in your Apache config

# BAD: Unsafe RewriteRule Example
RewriteEngine On
RewriteRule ^/?run/(.*)$ /secret_area/scripts/$1 [PT]

Maybe /secret_area/scripts/ has important CGI scripts. You don’t want users to *browse* this directory (say, with /secret_area/scripts/), but allow this special way to execute them.

What an Attacker Might Do

The attacker finds a way to encode the ? character (as %3F in URL). This tricks Apache’s mod_rewrite into sending odd input to the script.

Malicious Request

GET /run/my_script.php%3Fparam=value HTTP/1.1
Host: victim.example.com

What happens?

Instead of restricting access, the buggy mod_rewrite lets this call into my_script.php, possibly treating part of the *path* as CGI query arguments. In some cases, it passes the file path as a query string, causing the server to *display* the script source instead of executing it!

Let’s assume you have a CGI script show_user.php

RewriteRule ^/user/(.*)$ /protected/cgibin/show_user.php?id=$1 [PT]

Attacker runs

GET /user/12345%3FDEBUG HTTP/1.1

- If not patched, mod_rewrite might pass this through as /protected/cgibin/show_user.php?id=12345?DEBUG

Source code exposure: Secrets in scripts leak out.

- Bypassing access controls: Attackers run scripts in directories not meant for direct user access.

The Fix: Patch to 2.4.60 ASAP!

Apache’s official advisory for CVE-2024-38474 recommends upgrading to Apache HTTP Server 2.4.60 or above.

Why? Because now, suspect substitutions *fail by default* unless you explicitly opt-in with a new flag.

New Defensive Behavior

Some RewriteRules will now fail unless the rewrite flag UnsafeAllow3F is given.

So:

# Old, potentially dangerous
RewriteRule ^/something/(.*)$ /hidden/$1 [PT]

# Safe and better — upgrade to 2.4.60!
# (If you must allow, do it consciously)
RewriteRule ^/something/(.*)$ /hidden/$1 [PT,UnsafeAllow3F]

But you *should* avoid adding UnsafeAllow3F unless you *know* you need it and understand the risks!

How to Check If You’re Vulnerable

1. Review your .htaccess and Apache config(s) for RewriteRules that pass user input to script paths or filenames.
2. Test with encoded URL paths (like adding %3F at the end of path components) and see if you can access or "leak" content that shouldn't be reachable.

Here’s a bash one-liner you could try (adjust to your site)

curl -v "http://yoursite.com/run/anyfile.php%3Fsecret";

If Apache dumps raw code (or you're suddenly prompted to download a file), you’re at risk!

Apache Security Advisory:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE Details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38474

Full Patch Discussion and ChangeLog:

https://github.com/apache/httpd/commit/59c83811f26f285df03cde325e79bab66351f900

Audit your RewriteRules: Look for any that pass $1, $2, etc. to script names or directories.

3. Never blindly copy RewriteRules from old tutorials or forums—they may be unsafe post-CVE-2024-38474.

In Conclusion

CVE-2024-38474 is a great lesson in how small encoding bugs can break all your security models. If you use mod_rewrite on Apache 2.4.59 or earlier, *patch now* or risk attackers walking off with your server-side secrets.

Stay safe — and always test RewriteRules before using them in production!

Timeline

Published on: 07/01/2024 19:15:04 UTC
Last modified on: 08/21/2024 15:03:30 UTC