CVE-2024-39884 - Source Code Disclosure in Apache HTTP Server 2.4.60 Explained

On June 18, 2024, a critical security flaw surfaced in Apache HTTP Server 2.4.60, cataloged as CVE-2024-39884. This vulnerability is especially dangerous to websites relying on classic content-type (AddType), such as PHP-powered sites. Attackers may exploit this bug and download your raw source code—like your .php files—instead of letting the server interpret and execute them. That means your secret business logic, API secrets, and database credentials could end up exposed to the public.

In this exclusive deep-dive, we'll break down what CVE-2024-39884 is, how it works, include a code example, and how to fix or mitigate it. You’ll also find links to official sources for further reading.

1. What Happened—And Why It Matters

Apache HTTP Server is the world’s most popular web server. In version 2.4.60, a regression broke the way legacy content-type handlers work, especially around the AddType directive. Apache sometimes decides how to process files (interpret or serve as raw files) based on rules like:

AddType application/x-httpd-php .php

The Bug:
With 2.4.60, under certain requests—especially “indirect” requests such as those using Alias or RewriteRule—Apache can ignore handler configs. That means your .php file might be served as plain text, not executed as PHP. An attacker can then simply download your source code.

Your Apache Config

AddType application/x-httpd-php .php

VirtualHost or Directory Setup

<Directory "/var/www/html/private">
    Require all denied
</Directory>

Alias /public "/var/www/html/private"

What can happen in 2.4.60

Normally, requesting http://your-site.com/public/secret.php should execute the PHP script. Due to this bug, Apache can forget to apply the PHP handler and just send the code:

<?php
// secret.php
$password = "SuperSecretPassword";
echo "You will never see this!";
?>

But with CVE-2024-39884, you might see this

<?php
// secret.php
$password = "SuperSecretPassword";
echo "You will never see this!";
?>

Simple Exploit Example (using curl)

curl http://victim.com/alias-to-php/secret.php

5. How To Patch or Mitigate

The only safe fix is to upgrade to 2.4.61.
The Apache team patched this regression there. Official Release Notes

### To Upgrade on Ubuntu/Debian

sudo apt update
sudo apt install apache2

- Consider using FilesMatch to explicitly force handlers

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

6. References and More Reading

- Apache Security Advisory: CVE-2024-39884
- Official Apache 2.4.61 Release Notes
- Full CVE Detail

7. In Summary

If you manage any Apache 2.4.60 server, stop what you’re doing and update now. This bug isn’t theoretical—exploit code is trivial, and real site source code has already been exposed in the wild.

Don’t rely on complex workarounds. Upgrade to 2.4.61 right away, and check your Apache configs for dangerous legacy handler patterns.

Stay safe. Guard your source code.

Let others know: Has your site or company been hit by CVE-2024-39884? Share your story with us (anonymously) below!

Timeline

Published on: 07/04/2024 09:15:04 UTC
Last modified on: 11/19/2024 21:35:06 UTC