-----BEGIN PGP SIGNED MESSAGE-----

- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
        SECURITY VULNERABILITY ALERT

16 April 1996 16:00 GMT                          Number: ERS-SVA-E01-1996:002.2
===============================================================================
                        UPDATE TO ERS-SVA-E01-1996:002.1

I. Description

This Security Vulnerability Alert provides updated information about the NCSA
HTTPD and Apache HTTPD Common Gateway Interface vulnerability described in
ERS-SVA-E01-1996:002.1, which was released on 26 February 1996.

ERS-SVA-E01-1996:002.1 described a vulnerabilty in the escape_shell_cmd()
function contained in the Common Gateway Interface sample code file
"cgi-src/util.c", provided with NCSA HTTPD Version 1.5 and earlier, or
Apache HTTPD Version 1.0.3 and earlier.  This vulnerabilty allowed a
malicious user to embed the newline character (Hexadecimal 0A) in a query,
allowing an arbitrary shell command to be executed by the HTTPD server.

IBM-ERS has learned that the escape_shell_command() function is also
contained in the server source code file, "src/util.c".  Note that the files
"src/util.c" and "cgi-src/util.c" are not identical, however they contain
identical copies of the escape_shell_command() function.  The file
"src/util.c" is used to build the HTTPD server; therefore the "newline"
vulnerability exists in the server itself.

II. Impact

A malicious user who knows how to exercise this vulnerability may have the
ability to:

  1. Execute arbitrary commands on the server host using the same user-id as
     the user running the "httpd" server.  If "httpd" is being run as
     "root," the unauthorized commands are also run as "root."

  2. Access any file on the system that is accessible to the user-id that is
     running the "httpd" server.  If the "httpd" server user-id has read
     access to the file, the attacker can also read the file.  If the
     "httpd" server user-id has write access to the file, the attacker can
     change or destroy the contents of the file.  If the "httpd" server is
     being run as "root," the attacker can read, modify, or destroy any file
     on the server host.

  3. Given an X11-based terminal emulator ("xterm" or equivalent) installed
     on the "httpd" server host, gain full interactive access to the server
     host just as if he were logging in locally.


III. Solutions

IBM-ERS recommends that you consider taking the following actions (subject to
any licensing restrictions that may apply to your copies of the programs):

1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not contain
   this vulnerability.

   NCSA HTTPD Version 1.5 is available from:

     ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z

2. If you are using Apache HTTPD, locate the escape_shell_command() function
   in the file "src/util.c" (approximately line 430).  In that function, the
   line that reads

     if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){

   should be changed to read

     if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){

   The server should then be recompiled, reinstalled, and restarted.

IV. Acknowledgements

IBM-ERS would like to thank the NASA Automated Systems Incident Response
Capability (NASIRC) for providing the information contained in this update.
NASIRC in turn acknowledges Ken Bell of NASA Goddard Institute for Sapce
Studies for bringing this vulnerability to their attention, and the NCSA
HTTPD Development Team for confirming the problem and the fix.

IBM-ERS would also like to thank Jennifer Myers, a post-doctoral fellow at
Northwestern University, who originally discovered the vulnerability
described in ERS-SVA-E01-1996:002.1, and made public the description of the
problem and its solution.  This acknowledgement was omitted from the
original alert.

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

Copyright 1996 International Business Machines Corporation.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident response
teams (both commercial and non-commercial), provided the above copyright is
kept intact and due credit is given to IBM-ERS.

This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent of
increasing the awareness of the Internet community.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMbbrSPWDLGpfj4rlAQGfzgQA9kA6EAV0/4jbh73kKl5flPJEw8o7MPfP
/HWpMVIfhVD9ecIOag8NZIshhKrCffhT7UIIUa+XRqLiqIbFkV6mqEDzw23mhvG4
fxqIaRUK5wF0V2bS7s5pfkcEVuZKzPvn5Pr4JJ2x13o6hwpacwmEbvGNu8Y947+8
3F1411WZYc0=
=VCk7
-----END PGP SIGNATURE-----