ADVISORY NAME:
CGI Script Source Code Disclosure Vulnerability in Apache for Windows

VULNERABLE SYSTEMS:
The vulnerability has been verified on Apache 2.2.2 running on Microsoft Windows XP, Version 2002, Service Pack 2.

FOUND BY:
Susam Pal

FOUND ON:
8th August, 2007

VULNERABILITY TYPE:
Information Disclosure

SYSTEM DESCRIPTION:
Apache HTTPD is a web server that can run on many platforms to provide web-service. The basic server configuration is controlled by the file 'httpd.conf'. The 'DocumentRoot' directive controls which directory is considered to be root for serving documents. For instance:-

DocumentRoot "/home/webmaster/site/docroot/"

In the above example, a request to 'http://[target]/foo.html' would fetch the 'foo.html' page from '/home/webmaster/site/docroot/' directory of the server.

The 'ScriptAlias' directive controls which directory contains server scripts. The following is an example of a typical 'ScriptAlias' directive:-

ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

If a user makes a direct request to 'http://[target]/cgi-bin/foo' where 'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the output of the 'foo' script. In a secure system, the user is not supposed to view the source-code of 'foo' by making an HTTP GET request.

VULNERABILITY DESCRIPTION:
Usually the following directives in 'httpd.conf' file can be considered safe for Unix/Linux (assuming that other directives haven't been insanely edited):-

# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

But a similar configuration isn't safe in Windows. For instance:-

# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/"

If the scripts' directory (represented by 'ScriptAlias') lies inside the document-root directory (represented by 'DocumentRoot') and the name of the script-alias is same as that of the directory containing the scripts then the attacker can obtain the source code of the CGI scripts by making a direct request to 'http://[target]/CGI-BIN/foo'.

Apache web-server checks for the exact case mentioned in the 'ScriptAlias' directive before deciding whether the directory mentioned in the HTTP GET request is a scripts' directory or not. So, when Apache web-server receives a request for a file in 'CGI-BIN' directory, it finds it to be different from 'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root directory and finds it since file-names and directory-names are not case-sensitive on Windows. So, it simply sends the content of the 'foo' file as the HTTP response. It doesn't execute the 'foo' script because it isn't found in a directory pointed by script-alias.

EXPLOIT:
The vulnerability can be exploited by making a direct request to http://[target]/CGI-BIN/foo

PREVENTION:
1. Choosing a name for the 'ScriptAlias' different from the name of the actual directory will reduce the risk. For instance,

# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/sdy1x9y/"

The attacker can still get the source code by making a direct request to 'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that the 'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.

2. A more secure preventive measure would be to place the scripts folder outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For instance,

# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"

DISCLAIMER:
The information, codes and exploits in this advisory should be used for research, experimentation, bug-fixes and patch-releases only. The author shall not be liable in any event of any damages, incidental or consequential, in connection with, or arising out of this advisory, or its codes and exploits.

CONTACT INFORMATION:
For more information, please contact:- 

Susam Pal
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
India
Phone No.: +91-9985259521
Email: susam.pal@gmail.com
http://susampal.blogspot.com/
http://securecoding.blogspot.com/