CVE-2024-39884 Overview
A regression vulnerability in Apache HTTP Server version 2.4.60 causes the server to improperly handle legacy content-type based configuration of handlers. This source code disclosure vulnerability occurs when AddType and similar configuration directives are used, resulting in server-side scripts being served as raw source code instead of being properly interpreted and executed.
Under certain circumstances where files are requested indirectly, the affected Apache HTTP Server ignores the configured handlers, leading to the exposure of sensitive source code. For example, PHP scripts may be served as plain text files instead of being processed by the PHP interpreter, potentially exposing database credentials, API keys, business logic, and other sensitive information embedded in the source code.
Critical Impact
Source code disclosure can expose sensitive credentials, API keys, database connection strings, and proprietary business logic to unauthorized parties, potentially leading to further system compromise.
Affected Products
- Apache HTTP Server version 2.4.60
- NetApp ONTAP Tools 10 for VMware vSphere
Discovery Timeline
- 2024-07-04 - CVE-2024-39884 published to NVD
- 2025-07-01 - Last updated in NVD database
Technical Details for CVE-2024-39884
Vulnerability Analysis
This vulnerability represents a regression introduced in Apache HTTP Server 2.4.60 that affects the core handler configuration mechanism. The issue stems from improper processing of legacy content-type based handler configurations, specifically affecting directives like AddType, AddHandler, and similar configuration options.
When files are requested through indirect methods (such as through URL rewrites, includes, or certain proxy configurations), the server fails to properly apply the configured handlers. This causes script files that should be processed by their respective interpreters to instead be served with their raw source code visible to the requesting client.
The vulnerability has a local attack vector, meaning an attacker would need some level of access to craft requests that trigger the indirect file access condition. The high confidentiality impact reflects the severity of source code exposure, which can reveal sensitive information including credentials, encryption keys, and proprietary algorithms.
Root Cause
The root cause is a regression bug in the Apache HTTP Server 2.4.60 core that fails to properly respect the AddType and similar content-type based handler configurations under specific request conditions. When files are requested indirectly through the server, the handler configuration is bypassed, causing the server to serve the raw file contents rather than processing them through the appropriate interpreter (such as PHP, Python, or Perl handlers).
Attack Vector
An attacker can exploit this vulnerability by crafting HTTP requests that cause the server to access script files indirectly. This could be achieved through various means depending on the server configuration:
The exploitation involves sending requests that bypass normal handler processing through indirect file access patterns. When successful, the server responds with the raw source code of server-side scripts instead of executing them. This allows the attacker to view sensitive information that would normally never be exposed to clients, including hardcoded credentials, configuration values, and application logic.
For detailed technical information, see the Apache HTTPD Vulnerability List and the Openwall OSS-Security Discussion.
Detection Methods for CVE-2024-39884
Indicators of Compromise
- HTTP responses containing raw PHP, Perl, or Python source code instead of rendered HTML output
- Server access logs showing requests for script files with unusual response content-types (e.g., text/plain instead of text/html)
- Detection of sensitive strings in HTTP responses such as <?php, database connection strings, or API credentials
- Anomalous client behavior with repeated requests to various script endpoints
Detection Strategies
- Monitor web server access logs for requests that result in unexpected content-type headers for known script files
- Implement web application firewall (WAF) rules to detect source code patterns in HTTP responses
- Deploy SentinelOne Singularity to monitor for anomalous file access patterns and information disclosure attempts
- Conduct regular vulnerability scans to identify Apache HTTP Server version 2.4.60 installations
Monitoring Recommendations
- Enable detailed logging of HTTP response content-types and compare against expected values for script extensions
- Configure intrusion detection systems to alert on responses containing script language markers (e.g., <?php, #!/usr/bin/perl)
- Monitor for external reconnaissance activity targeting script file endpoints
- Implement file integrity monitoring on web server configuration files to detect unauthorized changes
How to Mitigate CVE-2024-39884
Immediate Actions Required
- Upgrade Apache HTTP Server from 2.4.60 to version 2.4.61 or later immediately
- Audit server access logs for evidence of source code disclosure prior to patching
- Rotate any credentials or API keys that may have been exposed through affected script files
- Review web server configurations to identify reliance on AddType and similar handler directives
Patch Information
Apache has released version 2.4.61 which resolves this regression vulnerability. Users running Apache HTTP Server 2.4.60 should upgrade immediately. The official security advisory and patch information can be found on the Apache HTTPD Security Page.
NetApp has also published a security advisory (NTAP-20240712-0002) for users of ONTAP Tools for VMware vSphere.
Workarounds
- If immediate upgrade is not possible, consider temporarily using SetHandler directives instead of AddType for critical script handling
- Implement WAF rules to block responses containing obvious source code patterns
- Restrict access to sensitive script directories using IP-based access controls
- Consider disabling indirect file access mechanisms until the patch can be applied
# Verify Apache HTTP Server version
httpd -v
# Check for affected version 2.4.60
apachectl -v | grep "2.4.60"
# After upgrade, verify new version is installed
httpd -v | grep "2.4.61"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
