httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Security Report: HTTP Server Exploit (fwd)
Date Wed, 11 Dec 1996 16:38:03 GMT


I don't think we have this script in 1.2, but if we do I told him we'd
fix/get rid of it.

----- Forwarded message from Josh Richards -----

Date: Wed, 11 Dec 1996 06:38:24 -0800 (PST)
From: Josh Richards <>
Subject: Security Report: HTTP Server Exploit
Message-ID: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

I have sent this to involved administrators, please take this problem
seriously as it is readily exploitable on a majority of the Internet's web
servers that I am running across.  If you have any questions don't
hesitate to e-mail me <>.


[I am sending this to administrators of servers that I have noticed this
exploit is possible on when I was verifying which versions of HTTP server
software were vulnerable.  I will be releasing this Security Advisory
shortly to the named mailing lists.  Please contact me if you have any
questions about this matter. <>--JR]


Sent to:		(BUGTRAQ mailing list)		(Apache HTTP bug report)		(NCSA HTTP Development Group)			(CERT Advisory Report)	(WWW Managers list)			(2600 Magazine: The Hacker Quarterly)		(Netscape Inc.)

                               The DataHaven Project
                            ____ SECURITY ADVISORY ____

                                 10 December 1996

Program(s): nph-test-cgi (a commonly installed sample CGI script)

Problems: Anyone can remotely view your filesystems via the web.

Extent/Severity: Majority of UNIX based Internet World Wide Web servers
                 are currently exploitable.

Date: 10 December 1996

Author: (Josh Richards)


A security hole exists in the nph-test-cgi script included in most UNIX
based World Wide Web daemon distributions.  The nph-* scripts exist to
allow 'non-parsed headers' to be sent via the HTTP protocol (this is not
the cause of this security problem, though).  The problem is that
nph-test-cgi, which prints out information on the current web environment
(just like 'test-cgi' does) does not enclose its arguments to the 'echo'
command inside of escapes are not possible (or at least I
have not found them to be--yet) but shell *expansion* is....  This means
that _any_ remote user can easily browse your filesystem via the WWW.


[PLEASE NOTE: These are only the ones that I have access to and could test
out and verify.--JR]

NCSA HTTP 1.3, 1.4, 1.4.1, 1.4.2, 1.5.1, 1.5.2
Apache HTTP 0.8.11, 0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.1, 1.2b2
Apache-SSL HTTP 1.0.5, 1.1.1
StrongHold 1.3.2 (basically Apache 1.1.1 + SSL extensions)
   Communications 1.1, 1.12
   Enterprise 2.0a
   Commerce 1.12


Enter the URL: <*>

Replace <> with the hostname of a server running a web
daemon near you.

[Please note that the asterisk ('*') on the end of the URL is very

Now look very closely look at the line beginning with "QUERY_STRING". 
Does it look familiar to you?  It should (if it doesn't you should really
spend a little more time looking at what is installed on your system).. 

Similar URL's such as <*>
will allow users to transverse the filesystem and view the contents of
other directories on your server.


A similar bug was reported in a L0pht advisory (from in
April 1996 with another (very similar) cgi script ('test-cgi') and it was
subsequently fixed in by most of the major distributions. See
<URL:> for more


Type 'chmod 700 nph-test-cgi' at your nearest shell prompt (as superuser). 


If it is neccessary to have the script accessible (I don't know why it
would be though) then a a quick fix is to put quotes around all parameters
to 'echo'. 

A longer term fix is to disable shell 'globbing' completely.  This can be
accomplished with 'set -f' if you are using a bourne derived shell. 


Apply the above suggested fixes.  Watch your server's access_logs' for any
accesses to "/cgi-bin/nph-test-cgi" but doing a grep for "nph-test-cgi". 


There are _many_ CGI scripts written (I am guilty of writing them myself) 
that do not check the input environment/variables enough.  Please check
your quickly-hacked-together-just-to-get-the-job-done shell scripts
carefully. UNIX can be powerful--too powerful for its (our?) own good

Version: 2.6.2


|   Josh Richards -- Network Admin/Tech Support @ ***The FIX Network***     |
|   <jrichard@FIX.Net> <jrichard@Freedom.Gen.Ca.Us> <jrichard@Slonet.Org>
| <>            Finger for my PGP Key |
|  - '"Anonymity is bad," says a source who wishes to remain anonymous.' -  |

----- End of forwarded message from Josh Richards -----

Rob Hartill.       Internet Movie Database Ltd.  

View raw message