From jrichard@fix.net Thu Dec 12 00:02:25 1996 Date: Wed, 11 Dec 1996 18:22:25 -0800 From: Josh Richards To: Multiple recipients of list BUGTRAQ Subject: Security Advisory: HTTP/CGI Script Exploit -----BEGIN PGP SIGNED MESSAGE----- ================================================================================ The DataHaven Project ____ SECURITY ADVISORY ____ 10 December 1996 Revised: 11 December 1996 ================================================================================ Program(s): nph-test-cgi (a commonly installed sample CGI script) Problems: Anyone can remotely view your filesystems via the web. Extent/Severity: Majority of UNIX based Internet World Wide Web servers come with this CGI script installed by default and are currently exploitable. Date: 10 December 1996 Author: jrichard@fix.net (Josh Richards) Description: A security hole exists in the nph-test-cgi script included in most UNIX based World Wide Web daemon distributions. The nph-* scripts exist to allow 'non-parsed headers' to be sent via the HTTP protocol (this is not the cause of this security problem, though). The problem is that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not enclose its arguments to the 'echo' command inside of quotes....shell escapes are not possible (or at least I have not found them to be--yet) but shell *expansion* is.... This means that _any_ remote user can easily browse your filesystem via the WWW. This is a bug with the nph-test-cgi script and _not_ the server itself. Versions: (These versions include the problem script in the distribution) [PLEASE NOTE: These are only the ones that I have access to and could test out and verify.--JR] NCSA HTTP 1.3, 1.4, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1,5.2a Apache HTTP 0.8.11, 0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.0 Please note that the latest versions 1.1.1 and 1.2b2 or higher do *not* include the script as part of the distribution but if you upgrade from an earlier version (or NCSA HTTP) then the script _may_ still be installed on your server from a previous distribution. Apache-SSL HTTP 1.0.5 1.1.1 (see Apache notes above) StrongHold 1.3.2 (basically Apache 1.1.1 + SSL extensions) Netscape Communications 1.1, 1.12 Enterprise 2.0a Commerce 1.12 BESTWWWD 1.0 Microsoft [Status is unknown--I have no servers to test this on.--JR] Exploit: Enter the URL: Replace with the hostname of a server running a web daemon near you. [Please note that the asterisk ('*') on the end of the URL is very important.] Now look very closely look at the line beginning with "QUERY_STRING". Does it look familiar to you? It should (if it doesn't you should really spend a little more time looking at what is installed on your system). Similar URL's such as will allow users to transverse the filesystem and view the contents of other directories on your server. History: A similar bug was reported in a L0pht advisory (from mudge@l0pht.com) in April 1996 with another (very similar) cgi script ('test-cgi') and it was subsequently fixed in by most of the major distributions. See for more information. Fix: Type 'chmod 700 nph-test-cgi' at your nearest shell prompt (as superuser). :-) If it is neccessary to have the script accessible (I don't know why it would be though) then a a quick fix is to put quotes around all parameters to 'echo': echo QUERY_STRING = $QUERY_STRING This would become echo "QUERY_STRING = $QUERY_STRING" A longer term fix is to disable shell 'globbing' completely. This can be accomplished by using the '-f' (or 'set -f') parameter if you are using a bourne derived shell. Prevention: Apply the above suggested fixes. Watch your server's access_logs' for any accesses to "/cgi-bin/nph-test-cgi" by doing a grep for "nph-test-cgi". Notes: There are _many_ CGI scripts written (I am guilty of writing them myself) that do not check the input environment/variables enough. Please check your quickly-hacked-together-just-to-get-the-job-done shell scripts carefully. UNIX can be powerful--too powerful for its (our?) own good sometimes.. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMq8ZR2m9zE6XY0w5AQG0lAQAmhBTOXUTCH+W3gSC8YKE9vszTUNW8n7D /Pu3AhCpOgq94tmju0q1+u9sKlhQFNnE75b8CrRS5nQBqjS6uQhdcEvmwcuk9oxt EcBtS5fv00RuBr0iZLXQzJCSSpgLN6z36IUQi4xUy1KTTRgzV6h+JIxN0pc8x5/t vbHUssSOoOc= =oWXn -----END PGP SIGNATURE----- | Josh Richards -- Network Admin/Tech Support @ ***The FIX Network*** | | | | Finger for my PGP Key | | - '"Anonymity is bad," says a source who wishes to remain anonymous.' - |