test-cgi - Re: HTTP REQUEST METHOD flaw

[monti () NETURAL COM (monti)]

At least one exploitable application for throwing arbitrary characters
into an HTTP request method is good old "test-cgi".

The suggested (and from what I have seen on most systems, typical) fix
for the origianl bug in this script was to put the "QUERY_STRING" variable
in test-cgi in quotes to prevent its use for listing files.

With mnemonix's post regarding the REQUEST METHOD's "feature", many users
are re-exposed to the test-cgi problem, as the "REQUEST_METHOD" variable
remains un-quoted in the following shell command:

echo REQUEST_METHOD = $REQUEST_METHOD

Instead of using "*" or a pathname followed by "*" as an argument to
test-cgi as in:

GET /cgi-bin/test-cgi?* HTTP/1.0

An attacker could use something like the following"

* /cgi-bin/test-cgi HTTP/1.0
to see contents of /cgi-bin directory of web-root

or

/* /cgi-bin/test-cgi HTTP/1.0
to see contents of the system's root /

or whatever absolute or relative path from the webserver's cgi-bin.

This was tested on version 1.3b6 of Apache.

The fix is to surround all of the variables in test-cgi (and any other
variations of test-cgi, such as nph-test-cgi, that may be present) in
quotes.

If there is a moral to this story, it is yet another warning about cgi
programming and scripting; Protect *any* data that can be supplied by the
user from overflow and/or unwanted interpretation in your application
including variables that may not necessarily be directly user-supplied.

The original test-cgi advisory can be found in the bugtraq archives at
http://www.geek-girl.com/bugtraq

-Eric Monti