Mitigate CVE-2024–40725 Apache HTTP Server

by@nahuel.vicarius

CVE-2024–40725 5.3 Medium Severity

1. #!/bin/bash
2. # Disable AddType and ForceType directives in Apache config files
3. disable_directives() {
4. config_files=(“/etc/apache2/apache2.conf” “/etc/apache2/conf-available/*.conf” “/etc/apache2/sites-available/*.conf” “/etc/httpd/conf/httpd.conf”)
5. for config_file in ${config_files[@]}; do
6. if [[ -f $config_file ]]; then
7. echo “Processing $config_file…”
8. # Comment out AddType and ForceType lines
9. sudo sed -i ‘s/^\s*\(AddType\|ForceType\)/# \1/g’ $config_file
10. fi
11. done
12. echo “Disabled AddType and ForceType directives.”
13. }
14. # Set proper permissions for PHP and other sensitive files
15. set_file_permissions() {
16. sensitive_dirs=(“/var/www/html” “/your/custom/path”)
17. for dir in ${sensitive_dirs[@]}; do
18. if [[ -d $dir ]]; then
19. echo “Setting file permissions in $dir…”
20. # Set permission to 640 for PHP and other sensitive files
21. sudo find $dir -type f \( -name “*.php” -o -name “*.conf” \) -exec chmod 640 {} \;
22. fi
23. done
24. echo “File permissions have been set.”
25. }
26. # Create .htaccess to deny access to sensitive files
27. deny_access_to_sensitive_files() {
28. sensitive_dirs=(“/var/www/html” “/your/custom/path”)
29. for dir in ${sensitive_dirs[@]}; do
30. if [[ -d $dir ]]; then
31. echo “Creating .htaccess in $dir…”
32. # Add .htaccess to deny direct access to sensitive files
33. echo ‘<FilesMatch “\.php$”>
34. Require all denied
35. </FilesMatch>’ | sudo tee “$dir/.htaccess”
36. fi
37. done
38. echo “.htaccess files created to block direct access to sensitive files.”
39. }
40. # Disable directory listings in Apache
41. disable_directory_listings() {
42. apache_conf=”/etc/apache2/apache2.conf” # CHANGE IF NEEDED
43. if [[ ! -f “$apache_conf” ]]; then
44. apache_conf=”/etc/httpd/conf/httpd.conf”
45. fi
46. if [[ -f “$apache_conf” ]]; then
47. echo “Disabling directory listings in Apache…”
48. sudo sed -i ‘s/Options Indexes/Options -Indexes/g’ “$apache_conf”
49. echo “Directory listings disabled.”
50. else
51. echo “Apache configuration file not found. Please verify the path.”
52. fi
53. }
54. # Restart Apache
55. restart_apache() {
56. if systemctl status apache2.service > /dev/null 2>&1; then
57. echo “Restarting Apache (apache2.service)…”
58. sudo systemctl restart apache2
59. elif systemctl status httpd.service > /dev/null 2>&1; then
60. echo “Restarting Apache (httpd.service)…”
61. sudo systemctl restart httpd
62. else
63. echo “Apache service not found. Please verify the service name.”
64. fi
65. }
66. disable_directive
67. set_file_permissions
68. deny_access_to_sensitive_files
69. disable_directory_listings
70. restart_apache
71. echo “All mitigations for CVE-2024–40725 have been applied.”

Description

🔒 Mitigating CVE-2024–40725: Securing Apache from Source Code Disclosure

This Bash script is designed to help protect your Apache HTTP Server from CVE-2024–40725, a vulnerability that can expose sensitive source code like PHP scripts. This issue stems from improper handling of the AddType directive in Apache configurations.

🔍 How it works:

The script performs multiple steps to secure your Apache setup:

1. Disables risky AddType and ForceType directives in Apache configurations, preventing raw code from being served instead of interpreted.
2. Sets secure file permissions on sensitive files (like .php), ensuring that unauthorized users cannot read them.
3. Creates .htaccess rules in critical directories to block access to files containing sensitive code.
4. Disables directory listings to prevent potential attackers from exploring your directory structure.
5. Restarts Apache to apply these changes effectively.

⚠️ Why it matters:

CVE-2024–40725 exploits misconfigurations in older Apache versions (pre-2.4.62), allowing attackers to disclose local source code, which could lead to further exploitation. If you’re running an affected Apache version, applying these mitigations can significantly reduce the risk of exposure while you plan your update to the patched version.