The Apache 2.4.62 HTTP server release is available, which fixes two vulnerabilities and makes 6 changes. The first vulnerability (CVE-2024-40898) allows an SSRF (Server-side request forgery) attack on mod_rewrite. The problem only appears on the Windows platform and, when sending specially designed requests, can lead to leakage of NTLM hashes to a server controlled by attackers.
The second vulnerability (CVE-2024-40725) allows you to view the code of scripts whose processing is configured using the AddType directive. For example, you can create a specially designed request to a PHP script, which will result in its contents being displayed rather than executed. The fix blocks an additional exploitation of the vulnerability CVE-2024-39884, which was fixed in version 2.4.61.
Among the non-security changes, the most notable one is the addition to mod_ssl of the ability to download certificates and keys from stores that support the pkcs11 standard.
According to a June report from Netcraft, about 212 million websites are running under the Apache http server (up from 228 million a year ago). The share of Apache httpd is estimated at 19.28% of all sites, which corresponds to the second place in popularity in this category (Nginx share - 21.35%, Cloudflare - 11.05%, OpenResty (platform based on nginx and LuaJIT) - 0.79%). When considering only active sites, Apache takes first place in the ranking with a share of 19.13% (Nginx share - 18.09%, Cloudflare - 14.80%, Google - 10.01%). Among the million most visited sites in the world, Apache is in third place with a share of 19.69% (Cloudflare is in the lead - 23.10% and Nginx - 20.50%).
Source: opennet.ru
