httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Security hole in NCSA 1.4
Date Thu, 06 Apr 1995 07:06:19 GMT
Just so you guys know, there's a security hole in NCSA 1.4b3 --- if
people have CGI scripts in STD_DOCUMENT space via ExecCGI (i.e., a
script in some random directory named $DocumentRoot/some/dir/foo.cgi),
then sending the command

   GET /some/dir/foo.cgi

correctly invokes the script, but

   GET /some/dir/foo.cgi/

sends back the script's source code.  This can make it dramatically
easier for an attacker to probe a site's CGI scripts for potential
vulnerabilities, and is an all-around Bad Thing.  (Note that CGI
scripts in ScriptAliased directories are not affected by this bug;
it's only the ones in STD_DOCUMENT space which have the problem).

I can set up a test harness for NCSA httpd on which
demonstrates the problem, if you have any trouble duplicating it
yourselves.  (The test setup I usually use for these things is
restricted to lab-internal access, for obvious reasons, but I can let
you in if need be).

This is the same bug I fixed in Apache as B48 (though you probably
can't use that patch directly, as the code patched in that patch has
already been altered by another one of our bug fixes).  We're probably
going to announce that we've fixed this thing when we do our public
release, so it would be good for you to have it fixed in your first
public distribution as well...


View raw message