The CGI Debugger v1.0 (/cgi-bin/debug.pl) displays information that may be useful to an attacker including the document root and server version info when passed a bogus argument.
fb7ac98f8314c3a58ff56f24e2e1c29c135d75c2f619f967ff2229d80ec3171f
NeoErudition Technologies
By: Lawrence Lavigne
Vulnerabillity: CGI Debugger v1.0
Remote: YES
Risk: HIGH
I have not found any information on Packetstorm or Security-Focus about this issue but that is not to say it has not been addressed elsewhere. But for the security communities sake I will release what I can now.
Enviroment Variables can be gleamed from a server running /cgi-bin/debug.pl by passing a bogus arguement to the
script.
Example: http://www.domain.com/cgi-bin/debug.pl/* will produce:
DOCUMENT_ROOT "/usr/home17/dir/public_html"
GATEWAY_INTERFACE "CGI/1.1"
HTTP_ACCEPT "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, */*"
HTTP_ACCEPT_ENCODING "gzip, deflate"
HTTP_ACCEPT_LANGUAGE "en-us"
HTTP_CONNECTION "Keep-Alive"
HTTP_COOKIE "$1"
HTTP_HOST "www.domain.com"
HTTP_USER_AGENT "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
LOG_DIR "/usr/local/etc/httpd/log6/dir"
PATH "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
QUERY_STRING ""
REMOTE_ADDR "XXX.XXX.XXX.XXX"
REMOTE_PORT "3899"
REQUEST_METHOD "GET"
REQUEST_URI "/directory/cgi-bin/debug.pl/<script_name>"
REWRITE_ROOT "/usr/home17/dir/public_html"
SCRIPT_FILENAME "/usr/home17/dir/public_html/directory/cgi-bin/<script_name>"
SCRIPT_NAME "/directory/cgi-bin/*"
SCRIPT_URI "http://www.domain.com/directory/cgi-bin/debug.pl/<script_name>"
SCRIPT_URL "/directory/cgi-bin/debug.pl/*"
SERVER_ADDR "XXX.XXX.XXX.XXX"
SERVER_ADMIN "admin@domain.com"
SERVER_NAME "www.domain.com"
SERVER_PORT "80"
SERVER_PROTOCOL "HTTP/1.1"
SERVER_SIGNATURE ""
SERVER_SOFTWARE "Apache/1.3 (Unix) mod_perl/1.27 PHP/4.2.2 mod_fastcgi/2.2.12 FrontPage/5.0.2.2510 mod_jk/1.2.0 mod_ssl/2.8.10 OpenSSL/0.9.6e"
UNIQUE_ID "PW1BEdH5k-4AAYO7Thw"
CANNOT EXECUTE:: /usr/home17/dir/public_html/directory/cgi-bin/<script_name>
NOTE: This servers IP, domain and other sensitive information has been omitted.
Note the information provided about SERVER_SOFTWARE. Apache version 1.3 (Unix), wich an attacker may be aware that
it has a remote vulnerabillity that will permit remote execution of arbituary commands. FrontPage 5.0.2.2510 may have
no current known vulnerabillities but could tip off an attacker to check for varied Vermeer Technology Incorperated vti_pvt vulnerabillities such as /vti_pvt/service/pwd, /vti_pvt/administrators.pwd etc. Thankfully OpenSSL 0.9.6e does not suffer
the arbituary code execution vulnerabillity but seems moot considering what information debug.pl may provide an
attacker with.
SERVER_SOFTWARE is not the only sensitive information being provided in this list by any means. A skilled intruder
can make use of much else that is here wich I will not be detailed here.
Furthermore, executing debug.pl without an argument prompts for a script to execute or debug.
Example: http://www.domain.com/cgi-bin/debug.pl<enter>, will give the follow output:
Usage: /directory/cgi-bin/debug.pl/script-to-run
By the following information provided and mayhaps a quick audit, an intruder may be able to collect enough information
to successfully guess any possible scripts to run debug.pl against. Possible Code Injection ? Heap Overflow ?
NeoErudition Technologies
Lawrence Lavigne
administrator@neoerudition.net
http://neoerudition.net