To understand the exploits, one must first understand the server's environment. Apache 2.4.18 was never the latest stable release; it was a . The "18" refers to a minor release in the 2.4.x branch, which at the time included backported security patches by vendors.
FROM ubuntu:16.04 RUN apt-get update && apt-get install -y apache2=2.4.18-2ubuntu3 # Enable mod_cgi, mod_http2, and set AllowOverride All COPY vulnerable.cgi /usr/lib/cgi-bin/ CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"] apache httpd 2.4.18 exploit
: Ensure PHP/CGI scripts cannot write to sensitive directories to prevent the initial foothold needed for local privilege escalation. To understand the exploits, one must first understand
To secure a system running version 2.4.18, follow these steps: To understand the exploits
Apache 2.4.18 was among the first versions to support the protocol via mod_http2 . However, early implementations lacked sufficient resource limits.