CVE-2024-40725 Overview
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
Critical Impact
This vulnerability allows for the unintended disclosure of source code, which can lead to further exploitation.
Affected Products
- Apache Http Server 2.4.60
- Apache Http Server 2.4.61
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Apache
- Not Available - CVE CVE-2024-40725 assigned
- Not Available - Apache releases security patch
- 2024-07-18 - CVE CVE-2024-40725 published to NVD
- 2025-03-14 - Last updated in NVD database
Technical Details for CVE-2024-40725
Vulnerability Analysis
This information disclosure vulnerability arises due to legacy configuration handling in Apache HTTP Server 2.4.61, where the AddType directive and similar configurations can expose source code when content is requested indirectly.
Root Cause
Improper handling of legacy content-type based configurations results in unintended exposure of local file content.
Attack Vector
Network-based attacks can leverage indirect requests to exploit this vulnerability, potentially revealing sensitive source code.
# Example of a vulnerable configuration
AddType application/x-httpd-php .php
# Under indirect conditions, could expose PHP source code
Detection Methods for CVE-2024-40725
Indicators of Compromise
- Unusual access to PHP files
- Logs showing raw PHP code in HTTP response
- Requests for source file types (*.php without execution)
Detection Strategies
Use web server logs to identify uncharacteristic requests to PHP and other sensitive file types. Monitor for HTTP responses that match PHP source output.
Monitoring Recommendations
Implement logging of all HTTP requests and responses to detect anomalous interactions. Utilize intrusion detection systems to identify patterns related to source code leakage.
How to Mitigate CVE-2024-40725
Immediate Actions Required
- Upgrade to Apache HTTP Server version 2.4.62
- Review and update AddType directives
- Ensure scripts are executed correctly, rather than served as static content
Patch Information
Apache has released a patch in version 2.4.62 to address this vulnerability. Users should upgrade as soon as possible.
Workarounds
Review and adjust all AddType configurations in the httpd.conf file to ensure PHP scripts are handled as executable and not static files.
# Example configuration to mitigate the issue
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
