-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Don Stikvoort                               Index  :    S-96-14
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          2
Subject       : CGI vulnerability - UPDATE                  Date   :  19-Apr-96
===============================================================================

By courtesy of IBM-ERS (the IBM CERT) we received an update on the 
CGI vulnerability in NCSA/Apache reported before in S-96-14 of March 14th 1996.

CERT-NL recommends taking the steps suggested below.

==============================================================================


I. Description

This Security Vulnerability Alert provides updated information about the NCSA
HTTPD and Apache HTTPD Common Gateway Interface vulnerability described before
in { CERT-NL advisory S-96-14 of March 14th 1996 } .

{ S-96-14 } described a vulnerabilty in the escape_shell_cmd()
function contained in the Common Gateway Interface sample code file
"cgi-src/util.c", provided with NCSA HTTPD Version 1.5 and earlier, or
Apache HTTPD Version 1.0.3 and earlier.  This vulnerabilty allowed a
malicious user to embed the newline character (Hexadecimal 0A) in a query,
allowing an arbitrary shell command to be executed by the HTTPD server.

IBM-ERS has learned that the escape_shell_command() function is also
contained in the server source code file, "src/util.c".  Note that the files
"src/util.c" and "cgi-src/util.c" are not identical, however they contain
identical copies of the escape_shell_command() function.  The file
"src/util.c" is used to build the HTTPD server; therefore the "newline"
vulnerability exists in the server itself.


II. Impact

A malicious user who knows how to exercise this vulnerability may have the
ability to:

  1. Execute arbitrary commands on the server host using the same user-id as
     the user running the "httpd" server.  If "httpd" is being run as
     "root," the unauthorized commands are also run as "root."

  2. Access any file on the system that is accessible to the user-id that is
     running the "httpd" server.  If the "httpd" server user-id has read
     access to the file, the attacker can also read the file.  If the
     "httpd" server user-id has write access to the file, the attacker can
     change or destroy the contents of the file.  If the "httpd" server is
     being run as "root," the attacker can read, modify, or destroy any file
     on the server host.

  3. Given an X11-based terminal emulator ("xterm" or equivalent) installed
     on the "httpd" server host, gain full interactive access to the server
     host just as if he were logging in locally.


III. Solutions

IBM-ERS recommends that you consider taking the following actions (subject to
any licensing restrictions that may apply to your copies of the programs):

1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not contain
   this vulnerability.

   NCSA HTTPD Version 1.5 is available from:

     ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z

2. If you are using Apache HTTPD, locate the escape_shell_command() function
   in the file "src/util.c" (approximately line 430).  In that function, the
   line that reads

     if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){

   should be changed to read

     if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){

   The server should then be recompiled, reinstalled, and restarted.


IV. Acknowledgements

IBM-ERS would like to thank the NASA Automated Systems Incident Response
Capability (NASIRC) for providing the information contained in this update.
NASIRC in turn acknowledges Ken Bell of NASA Goddard Institute for Sapce
Studies for bringing this vulnerability to their attention, and the NCSA
HTTPD Development Team for confirming the problem and the fix.

IBM-ERS would also like to thank Jennifer Myers, a post-doctoral fellow at
Northwestern University, who originally discovered the vulnerability
described in ERS-SVA-E01-1996:002.1, and made public the description of the
problem and its solution.  This acknowledgement was omitted from the
original alert.


(Copyright 1996 International Business Machines Corporation.)


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. 
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams 
(FIRST). 

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security 
  
In case of computer or network security problems please contact your 
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet 
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMXc81mL2fnkJN/jpAQGr8wQArmwPYhAsoxOjuEShu+OuQL8D1ensVgao
r9OPon4T4Hhtz+oGIHCPfiH2xPeh53N4xNcqaPRH5HdPefd0wainvZEDkzhL1HqA
S66LRBiogxF04e+uiQBrCAae6bRYppv6DxxIdxxZ5GwI+RSBO/ZQsvo0LbqXwNem
eBzG03YAySg=
=fVyk
-----END PGP SIGNATURE-----