Bugtraq mailing list archives
Security Advisory: HTTP/CGI Script Exploit
From: jrichard () fix net (Josh Richards)
Date: Wed, 11 Dec 1996 18:22:25 -0800
-----BEGIN PGP SIGNED MESSAGE----- ================================================================================ The DataHaven Project ____ SECURITY ADVISORY ____ <jrichard () fix net> 10 December 1996 Revised: 11 December 1996 ================================================================================ Program(s): nph-test-cgi (a commonly installed sample CGI script) Problems: Anyone can remotely view your filesystems via the web. Extent/Severity: Majority of UNIX based Internet World Wide Web servers come with this CGI script installed by default and are currently exploitable. Date: 10 December 1996 Author: jrichard () fix net (Josh Richards) Description: A security hole exists in the nph-test-cgi script included in most UNIX based World Wide Web daemon distributions. The nph-* scripts exist to allow 'non-parsed headers' to be sent via the HTTP protocol (this is not the cause of this security problem, though). The problem is that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not enclose its arguments to the 'echo' command inside of quotes....shell escapes are not possible (or at least I have not found them to be--yet) but shell *expansion* is.... This means that _any_ remote user can easily browse your filesystem via the WWW. This is a bug with the nph-test-cgi script and _not_ the server itself. Versions: (These versions include the problem script in the distribution) [PLEASE NOTE: These are only the ones that I have access to and could test out and verify.--JR] NCSA HTTP 1.3, 1.4, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1,5.2a Apache HTTP 0.8.11, 0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.0 Please note that the latest versions 1.1.1 and 1.2b2 or higher do *not* include the script as part of the distribution but if you upgrade from an earlier version (or NCSA HTTP) then the script _may_ still be installed on your server from a previous distribution. Apache-SSL HTTP 1.0.5 1.1.1 (see Apache notes above) StrongHold 1.3.2 (basically Apache 1.1.1 + SSL extensions) Netscape Communications 1.1, 1.12 Enterprise 2.0a Commerce 1.12 BESTWWWD 1.0 Microsoft [Status is unknown--I have no servers to test this on.--JR] Exploit: Enter the URL: <http://yourwebserver.com/cgi-bin/nph-test-cgi?*> Replace <yourwebserver.com> with the hostname of a server running a web daemon near you. [Please note that the asterisk ('*') on the end of the URL is very important.] Now look very closely look at the line beginning with "QUERY_STRING". Does it look familiar to you? It should (if it doesn't you should really spend a little more time looking at what is installed on your system). Similar URL's such as <http://yourwebserver.com/cgi-bin/nph-test-cgi?/*> will allow users to transverse the filesystem and view the contents of other directories on your server. History: A similar bug was reported in a L0pht advisory (from mudge () l0pht com) in April 1996 with another (very similar) cgi script ('test-cgi') and it was subsequently fixed in by most of the major distributions. See <URL:http://www.l0pht.com/advisories/test-cgi-vulnerability> for more information. Fix: Type 'chmod 700 nph-test-cgi' at your nearest shell prompt (as superuser). :-) If it is neccessary to have the script accessible (I don't know why it would be though) then a a quick fix is to put quotes around all parameters to 'echo': echo QUERY_STRING = $QUERY_STRING This would become echo "QUERY_STRING = $QUERY_STRING" A longer term fix is to disable shell 'globbing' completely. This can be accomplished by using the '-f' (or 'set -f') parameter if you are using a bourne derived shell. Prevention: Apply the above suggested fixes. Watch your server's access_logs' for any accesses to "/cgi-bin/nph-test-cgi" by doing a grep for "nph-test-cgi". Notes: There are _many_ CGI scripts written (I am guilty of writing them myself) that do not check the input environment/variables enough. Please check your quickly-hacked-together-just-to-get-the-job-done shell scripts carefully. UNIX can be powerful--too powerful for its (our?) own good sometimes.. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMq8ZR2m9zE6XY0w5AQG0lAQAmhBTOXUTCH+W3gSC8YKE9vszTUNW8n7D /Pu3AhCpOgq94tmju0q1+u9sKlhQFNnE75b8CrRS5nQBqjS6uQhdcEvmwcuk9oxt EcBtS5fv00RuBr0iZLXQzJCSSpgLN6z36IUQi4xUy1KTTRgzV6h+JIxN0pc8x5/t vbHUssSOoOc= =oWXn -----END PGP SIGNATURE----- | Josh Richards -- Network Admin/Tech Support @ ***The FIX Network*** | | <jrichard () FIX Net> <jrichard () Freedom Gen Ca Us> <jrichard () Slonet Org> | | <http://www.freedom.gen.ca.us/jrichard/> Finger for my PGP Key | | - '"Anonymity is bad," says a source who wishes to remain anonymous.' - |
Current thread:
- Security Advisory: HTTP/CGI Script Exploit Josh Richards (Dec 11)