Bugtraq mailing list archives
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
From: Joe Orton <jorton () redhat com>
Date: Wed, 16 Aug 2006 10:15:44 +0100
On Wed, Aug 09, 2006 at 10:15:42AM -0000, susam.pal () gmail com wrote:
ADVISORY NAME: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
...
But a similar configuration isn't safe in Windows. For instance:- # Sample Unsafe Configuration for Windows DocumentRoot "C:/Documents and Settings/webmaster/site/docroot" ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/" If the scripts' directory (represented by 'ScriptAlias') lies inside the document-root directory (represented by 'DocumentRoot') and the name of the script-alias is same as that of the directory containing the scripts then the attacker can obtain the source code of the CGI scripts by making a direct request to 'http://[target]/CGI-BIN/foo'.
This is not a security vulnerability in the server, but rather a serious misconfiguration of the ScriptAlias Directive. ScriptAlias exists to allow CGI scripts to be stored in a directory outside of the document tree. Common convention is never to include cgi-bin within the document tree. Regards, Joe Orton
Current thread:
- CGI Script Source Code Disclosure Vulnerability in Apache for Windows susam . pal (Aug 10)
- Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows Joe Orton (Aug 16)
- <Possible follow-ups>
- Re: Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows nareshhacker (Aug 17)