-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Teun Nijssen Index : S-96-22 Distribution : World Page : 1 Classification: External Version: 1 Subject : CERN Web-server 3.0 Date : 16-May-96 =============================================================================== By courtesy of NASIRC, NASA's CERT team for earth and surroundings we received information on a vulnerability in CERN's Web-Server Version 3.0 - ------------------------------------------------------------------------------- This bulletin reports a recently announced security vulner- ability. It may contain a workaround or software patch. Bulletins should be considered urgent as vulnera- bility information is likely to be widely known by the time a patch is issued or other solutions are developed. NASIRC has been informed of two security vulnerabilities in the CERN httpd Web server Version 3.0 . 1) The server has a security vulnerability that will allow anyone accessing a Web site running this server to bypass any restrictions that have been specified in the server configuration file "httpd.conf". These are restrictions such as permitting only browsers at ".nasa.gov" addresses to view certain pages. This problem affects the CERN server. It does not affect the NCSA server. NASIRC has not evaluated any other Web servers for this vulnerability. This vulnerability does not permit an intruder to modify data on the server. 2) The "CGIParse" utility, which is distributed with the CERN Web server, has a vulnerability that will allow a malicious person to execute shell commands on the server. SYSTEMS AFFECTED UNIX systems running the CERN Web server httpd Version 3.0 are affected. PROBLEM 1 DESCRIPTION The CERN Web server allows a Webmaster to specify that selected Web pages should be served to only certain network sites or only if the viewer can supply the correct password. This access configuration is specified in the "httpd.conf" file. These restrictions may be trivially bypassed by altering the pathname of the file in the URL to something that is equivalent to the underlying file system but that will not exactly match the restriction specified in the "httpd.conf" file. This hole is being actively exploited. RECOMMENDED ACTION FOR PROBLEM 1 Webmasters should include the following lines in the "httpd.conf" file BEFORE any "Exec", "Pass" or "Map" directives: Fail //* Fail *//* Fail /./* Fail */./* PROBLEM 2 DESCRIPTION The utility program "CGIParse" is intended to be used by CGI shell scripts to parse data that was entered into a form by a person running a browser and sent to the local Web server. It assembles a shell command to set the environment variable "QUERY_STRING", but does not adequately protect against shell-significant characters within the string value passed from the browser. This allows a malicious person to embed arbitrary shell-commands within the string and cause them to be executed by the shell process running the CGI script. RECOMMENDED ACTION FOR PROBLEM 2 System administrators should apply the following patch to the source file "WWW/Daemon/Implementation/CGIParse.c" and recompile and reinstall the "CGIParse" program: 296c296,297 < printf("QUERY_STRING='%s'; export QUERY_STRING\n", query_string) ; --- > printf("QUERY_STRING=%s; export QUERY_STRING\n" > , sh_escape(query_string)) ; ADDITIONAL NOTES Web page access restrictions based on IP addresses or DNS information are not truly secure since that information is simple to falsify. Password-restricted pages are also not very secure since the plaintext passwords used by the HTTP protocol may be easily captured in transit. The protection mechanisms provided by most Web servers are sufficient only to prevent casual browsing by unauthorized persons. Truly sensitive information should not be made accessible via the Web. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NASIRC ACKNOWLEDGES: Paul J. Meyer of MSFC for bringing problem 1 to NASIRC's attention and for testing; Anselm Baird-Smith of the World Wide Web Consortium for providing the workaround and patch; and Wolfgang Ley of DFN-CERT for alerting NASIRC to problem 2 and for additional comments. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CERT-NL recommends to implement NASIRC's advises. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address t he appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAgUBMZuVLmL2fnkJN/jpAQH8/wQAoK93S1XcgfZpRBwTX4jiEUbusRWbNGDK Ns+gbrvp6jgXwSJfy4b6W8ewSOj7YV+8qTiih45sM3A1UKFu+WT3l5jaEzBVw3F4 0XLOjJ35n3m3CS2/0gyAXGM/5J1sIYUOiBrbTNOd/+CQ/GlFhDmpv27xo4xdUB0u XYlBHm1Iwb4= =3Kra -----END PGP SIGNATURE-----