httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: Security interest
Date Fri, 31 May 1996 15:08:51 GMT

> I can't really think how I could exploit this unless the interpreter
> is owned by the webserver id.

I was starting to agree on you, but just try this:

telnet localhost 80
POST /cgi-bin/perl HTTP/1.0
Content-length: 250
Content-type: application/x-www-form-urlencoded
# This is send to the perl interp on the stdin

print qq|Content-type: text/html

Hello World
|;
exit 0;

<And a lot of returns to make it up to 250 chars.





> ------- Forwarded Message
> 
> Organization: CERT(sm) Coordination Center -  +1 412-268-7090
> Sender: proff@suburbia.net
> Resent-Message-ID: <"MCZnT2.0.ux3.ZpBhn"@suburbia>
> Resent-From: best-of-security@suburbia.net
> X-Mailing-List: <best-of-security@suburbia.net> archive/latest/81
> X-Loop: best-of-security@suburbia.net
> Precedence: list
> Resent-Sender: best-of-security-request@suburbia.net
> Subject: BoS: CERT Advisory CA-96.11 - Interpreters in CGI bin Directories
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> 
> =============================================================================
> CERT(sm) Advisory CA-96.11
> May 29, 1996
> 
> Topic: Interpreters in CGI bin Directories
> - - -----------------------------------------------------------------------------
> 
> Many sites that maintain a Web server support CGI programs. Often these
> programs are scripts that are run by general-purpose interpreters, such as
> /bin/sh or PERL. If the interpreters are located in the CGI bin directory
> along with the associated scripts, intruders can access the interpreters
> directly and arrange to execute arbitrary commands on the Web server system.
> This problem has been widely discussed in several forums. Unfortunately, some
> sites have not corrected it.
> 
> The CERT Coordination Center recommends that you never put interpreters in a
> Web server's CGI bin directory. 
> 
> As we receive additional information relating to this advisory, we
> will place it in
>         ftp://info.cert.org/pub/cert_advisories/CA-96.11.README
> 
> We encourage you to check our README files regularly for updates on
> advisories that relate to your site.
> 
> - - -----------------------------------------------------------------------------
> I.   Description
> 
>      To execute CGI scripts, a Web server must be able to access the
>      interpreter used for that script. Early documentation for Netscape and
>      other servers recommended placing the interpreters in the CGI bin
>      directory to ensure that they were available to run the script.
> 
>      All programs in the CGI bin directory can be executed with arbitrary
>      arguments, so it is important to carefully design the programs
>      to permit only the intended actions regardless of what arguments are
>      used. This is difficult enough in general, but is a special problem for
>      general-purpose interpreters since they are designed to execute 
>      arbitrary programs based on their arguments. *All* programs in the
>      CGI bin directory must be evaluated carefully, even relatively
>      limited programs such as gnu-tar and find. 
> 
>      Note that the directory for CGI programs is typically called "cgi-bin"
>      but the server may be configured to use a different name.
> 
> II.  Impact
> 
>      If general-purpose interpreters are accessible in a Web server's CGI bin
>      directory, then a remote user can execute any command the interpreters
>      can execute on that server.
> 
> III. Solution
> 
>      The solution to this problem is to ensure that the CGI bin directory 
>      does not include any general-purpose interpreters, for example
>              + PERL
>              + Tcl
>              + UNIX shells (sh, csh, ksh, etc.)
> 
>      A variety of methods can be used to safely install such interpreters;
>      methods vary depending on the system and Web server involved.
> 
>      On Unix systems, the location of the interpreter is given on the first
>      line of the script:
>         #! /path/to/interpreter
> 
>      On other systems, such as NT, there is an association between filename
>      extensions and the applications used to run them. If your Web server
>      uses this association, you can give CGI scripts an appropriate suffix
>      (for example, ".pl" for PERL), which is registered to the appropriate
>      interpreter. This avoids the need to install the interpreter in the
>      CGI bin directory, thus avoiding the problem.
> 
>      Check with your Web server vendor for specific information.
> 
>      Netscape reports that the 2.0 versions of their FastTrack and Enterprise
>      Servers, (both the current Beta and upcoming final versions), do support
>      file interpreter associations.
> 
>      Further reading:
> 
>         Tom Christiansen has a Web page with details about this problem
>         and a script that can be used to test for it:
>                 http://perl.com/perl/news/latro-announce.html
> 
>          Lincoln Stein's WWW Security FAQ includes a section on "Problems
>          with Specific Servers," which discusses this and related problems:
>                 http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
> 
> - - ---------------------------------------------------------------------------
> The CERT Coordination Center thanks Lincoln Stein, Tom Christiansen, and the
> members of AUSCERT and DFN-CERT for their contributions to the information in
> this advisory.
> - - ---------------------------------------------------------------------------
> 
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident
> Response and Security Teams (FIRST).
> 
> We strongly urge you to encrypt any sensitive information you send by email.
> The CERT Coordination Center can support a shared DES key and PGP. Contact 
> the CERT staff for more information.
> 
> Location of CERT PGP key
>          ftp://info.cert.org/pub/CERT_PGP.key
> 
> CERT Contact Information
> - - ------------------------
> Email    cert@cert.org
> 
> Phone    +1 412-268-7090 (24-hour hotline)
>                 CERT personnel answer 8:30-5:00 p.m. EST
>                 (GMT-5)/EDT(GMT-4), and are on call for
>                 emergencies during other hours.
> 
> Fax      +1 412-268-6989
> 
> Postal address
>         CERT Coordination Center
>         Software Engineering Institute
>         Carnegie Mellon University
>         Pittsburgh PA 15213-3890
>         USA
> 
> CERT publications, information about FIRST representatives, and other
> security-related information are available for anonymous FTP from
>         http://www.cert.org/
>         ftp://info.cert.org/pub/
> 
> CERT advisories and bulletins are also posted on the USENET newsgroup
>         comp.security.announce
> 
> To be added to our mailing list for CERT advisories and bulletins, send your
> email address to
>         cert-advisory-request@cert.org
> 
> 
> Copyright 1996 Carnegie Mellon University
> This material may be reproduced and distributed without permission provided
> it is used for noncommercial purposes and the copyright statement is 
> included.
> 
> CERT is a service mark of Carnegie Mellon University.
> 
> 
> - -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> 
> iQCVAwUBMaxzTnVP+x0t4w7BAQETdwP/b33r0mLCZhHJDWeFFYGD7tSfBxgSn+lz
> +9YoVJRCR/V54KGvsjN6Wya7rpIjgJRYhLp3B5C/hy9ApYX5ec44AKzYswgcW194
> cHyj6bg6qZHEQMRk3R6xsXks19zsvEmN+N7xCJuR8gF1/XEUqY/fSB8xsaLNQ2Cl
> ZegRkaV/WUo=
> =LwbY
> - -----END PGP SIGNATURE-----
> 
> ------- End of Forwarded Message
> 
> 
> 
> 


Mime
View raw message