Bugtraq mailing list archives

Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows

From: Joe Orton <jorton () redhat com>
Date: Wed, 16 Aug 2006 10:15:44 +0100

On Wed, Aug 09, 2006 at 10:15:42AM -0000, susam.pal () gmail com wrote:

ADVISORY NAME:
CGI Script Source Code Disclosure Vulnerability in Apache for Windows

...

But a similar configuration isn't safe in Windows. For instance:-

# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/"

If the scripts' directory (represented by 'ScriptAlias') lies inside
the document-root directory (represented by 'DocumentRoot') and the
name of the script-alias is same as that of the directory containing
the scripts then the attacker can obtain the source code of the CGI
scripts by making a direct request to 'http://[target]/CGI-BIN/foo&apos;.


This is not a security vulnerability in the server, but rather a serious
misconfiguration of the ScriptAlias Directive.  ScriptAlias exists to
allow CGI scripts to be stored in a directory outside of the document
tree.  Common convention is never to include cgi-bin within the document
tree.

Regards,
Joe Orton

Current thread:

CGI Script Source Code Disclosure Vulnerability in Apache for Windows susam . pal (Aug 10)
- Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows Joe Orton (Aug 16)
- <Possible follow-ups>
- Re: Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows nareshhacker (Aug 17)