what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cgiDisclose.txt

cgiDisclose.txt
Posted Aug 27, 2006
Authored by Susam Pal | Site susampal.blogspot.com

A CGI script source disclosure flaw exists for Apache version 2.2.2 on Windows.

tags | advisory, cgi
systems | windows
SHA-256 | a6a0387f2d698b421275702177e3014a3695f9a3e2da9e7277cbf89bc1d9d223

cgiDisclose.txt

Change Mirror Download
ADVISORY NAME:
CGI Script Source Code Disclosure Vulnerability in Apache for Windows

VULNERABLE SYSTEMS:
The vulnerability has been verified on Apache 2.2.2 running on Microsoft Windows XP, Version 2002, Service Pack 2.

FOUND BY:
Susam Pal

FOUND ON:
8th August, 2007

VULNERABILITY TYPE:
Information Disclosure

SYSTEM DESCRIPTION:
Apache HTTPD is a web server that can run on many platforms to provide web-service. The basic server configuration is controlled by the file 'httpd.conf'. The 'DocumentRoot' directive controls which directory is considered to be root for serving documents. For instance:-

DocumentRoot "/home/webmaster/site/docroot/"

In the above example, a request to 'http://[target]/foo.html' would fetch the 'foo.html' page from '/home/webmaster/site/docroot/' directory of the server.

The 'ScriptAlias' directive controls which directory contains server scripts. The following is an example of a typical 'ScriptAlias' directive:-

ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

If a user makes a direct request to 'http://[target]/cgi-bin/foo' where 'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the output of the 'foo' script. In a secure system, the user is not supposed to view the source-code of 'foo' by making an HTTP GET request.

VULNERABILITY DESCRIPTION:
Usually the following directives in 'httpd.conf' file can be considered safe for Unix/Linux (assuming that other directives haven't been insanely edited):-

# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

But a similar configuration isn't safe in Windows. For instance:-

# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/"

If the scripts' directory (represented by 'ScriptAlias') lies inside the document-root directory (represented by 'DocumentRoot') and the name of the script-alias is same as that of the directory containing the scripts then the attacker can obtain the source code of the CGI scripts by making a direct request to 'http://[target]/CGI-BIN/foo'.

Apache web-server checks for the exact case mentioned in the 'ScriptAlias' directive before deciding whether the directory mentioned in the HTTP GET request is a scripts' directory or not. So, when Apache web-server receives a request for a file in 'CGI-BIN' directory, it finds it to be different from 'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root directory and finds it since file-names and directory-names are not case-sensitive on Windows. So, it simply sends the content of the 'foo' file as the HTTP response. It doesn't execute the 'foo' script because it isn't found in a directory pointed by script-alias.

EXPLOIT:
The vulnerability can be exploited by making a direct request to http://[target]/CGI-BIN/foo

PREVENTION:
1. Choosing a name for the 'ScriptAlias' different from the name of the actual directory will reduce the risk. For instance,

# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/sdy1x9y/"

The attacker can still get the source code by making a direct request to 'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that the 'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.

2. A more secure preventive measure would be to place the scripts folder outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For instance,

# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"

DISCLAIMER:
The information, codes and exploits in this advisory should be used for research, experimentation, bug-fixes and patch-releases only. The author shall not be liable in any event of any damages, incidental or consequential, in connection with, or arising out of this advisory, or its codes and exploits.

CONTACT INFORMATION:
For more information, please contact:-

Susam Pal
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
India
Phone No.: +91-9985259521
Email: susam.pal@gmail.com
http://susampal.blogspot.com/
http://securecoding.blogspot.com/
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close