-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen                                Index  :    S-96-22
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : CERN Web-server 3.0                         Date   :  16-May-96
===============================================================================

By courtesy of NASIRC, NASA's CERT team for earth and surroundings we received
information on a vulnerability in CERN's Web-Server Version 3.0

- -------------------------------------------------------------------------------
     This bulletin reports a recently announced security vulner-
     ability.    It   may   contain   a   workaround or software
     patch.  Bulletins should be considered urgent  as  vulnera-
     bility information is likely to be widely known by the time
     a patch is issued or other solutions are developed.

NASIRC has been informed of two security vulnerabilities in the
CERN httpd Web server Version 3.0 .

     1) The server has a security vulnerability that will allow
        anyone accessing a Web site running this server to bypass
        any restrictions that have been specified in the server
        configuration file "httpd.conf".  These are restrictions
        such as permitting only browsers at ".nasa.gov" addresses
        to view certain pages.

        This problem affects the CERN server.  It does not affect
        the NCSA server.  NASIRC has not evaluated any other Web
        servers for this vulnerability.

        This vulnerability does not permit an intruder to modify
        data on the server.

     2) The "CGIParse" utility, which is distributed with the CERN
        Web server, has a vulnerability that will allow a malicious
        person to execute shell commands on the server.

SYSTEMS AFFECTED

        UNIX systems running the CERN Web server httpd Version 3.0 are
        affected.


PROBLEM 1 DESCRIPTION

        The CERN Web server allows a Webmaster to specify that selected
        Web pages should be served to only certain network sites or only
        if the viewer can supply the correct password.  This access
        configuration is specified in the "httpd.conf" file.

        These restrictions may be trivially bypassed by altering the
        pathname of the file in the URL to something that is equivalent
        to the underlying file system but that will not exactly match the
        restriction specified in the "httpd.conf" file.

        This hole is being actively exploited.

RECOMMENDED ACTION FOR PROBLEM 1

        Webmasters should include the following lines in the "httpd.conf"
        file BEFORE any "Exec", "Pass" or "Map" directives:

          Fail //*
          Fail *//*
          Fail /./*
          Fail */./*

PROBLEM 2 DESCRIPTION

        The utility program "CGIParse" is intended to be used by CGI
        shell scripts to parse data that was entered into a form by a
        person running a browser and sent to the local Web server.  It
        assembles a shell command to set the environment variable
        "QUERY_STRING", but does not adequately protect against
        shell-significant characters within the string value passed from
        the browser.  This allows a malicious person to embed arbitrary
        shell-commands within the string and cause them to be executed by
        the shell process running the CGI script.


RECOMMENDED ACTION FOR PROBLEM 2

        System administrators should apply the following patch to the
        source file "WWW/Daemon/Implementation/CGIParse.c" and recompile
        and reinstall the "CGIParse" program:

            296c296,297
            <  printf("QUERY_STRING='%s'; export QUERY_STRING\n", query_string) ;
            ---
            >  printf("QUERY_STRING=%s; export QUERY_STRING\n"
            >          , sh_escape(query_string)) ;


ADDITIONAL NOTES

        Web page access restrictions based on IP addresses or DNS
        information are not truly secure since that information is simple
        to falsify. Password-restricted pages are also not very secure
        since the plaintext passwords used by the HTTP protocol may be
        easily captured in transit. The protection mechanisms provided by
        most Web servers are sufficient only to prevent casual browsing
        by unauthorized persons.  Truly sensitive information should not
        be made accessible via the Web.


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
NASIRC ACKNOWLEDGES: Paul J. Meyer of MSFC for
        bringing problem 1 to NASIRC's attention and for
        testing;  Anselm Baird-Smith of the World Wide
        Web Consortium for providing the workaround and
        patch;  and Wolfgang Ley of DFN-CERT for alerting
        NASIRC to problem 2 and for additional comments.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

CERT-NL recommends to implement NASIRC's advises.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IJTSYjBqwfc9jEQLB3ACdF6g2LReKd7qOkwgE+usGcauHFe0AmQGc
HnqqkD9YT98ABvqgPIDf56Bp
=1KjX
-----END PGP SIGNATURE-----