A novel directory traversal bug was introduced in apache httpd-2.4.49 in late September and quickly followed by an incomplete fix on version httpd-2.5.50 that was also followed by a fix on version httpd-2.4.51. We have a previous post describing the vulnerable
code in httpd-2.4.49 and the implemented fix from httpd-2.4.50. In this post, we will discuss the code changes that led to introducing a new bug assigned CVE-2021-42013 that leads to Path Traversal and Remote Code
Execution in httpd-2.4.50 as well as the fix and detection techniques. In the previous post, we learned about apache httpd-2.4.49 and CVE-2021-41773, a fix has been published, and httpd-2.4.50 was released. However,
the fix was incomplete and led to a directory traversal and command execution bug. To approach this fix, we will look at the source code changes to understand what changed then we will be using basic fuzzing techniques
to reproduce the security bug in a test environment.