httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Security Report: HTTP Server Exploit (fwd)
Date Wed, 11 Dec 1996 16:38:03 GMT

Acked.

I don't think we have this script in 1.2, but if we do I told him we'd
fix/get rid of it.

----- Forwarded message from Josh Richards -----

Date: Wed, 11 Dec 1996 06:38:24 -0800 (PST)
From: Josh Richards <jrichard@fix.net>
To: apache-bugs@apache.org, httpd@ncsa.uiuc.edu, cert@cert.org, 
    bugs@netscape.com
cc: security@datahaven.freedom.gen.ca.us
Subject: Security Report: HTTP Server Exploit
Message-ID: <Pine.BSI.3.95.961211063441.22871A-100000@fletch.fix.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


I have sent this to involved administrators, please take this problem
seriously as it is readily exploitable on a majority of the Internet's web
servers that I am running across.  If you have any questions don't
hesitate to e-mail me <jrichard@fix.net>.

-----BEGIN PGP SIGNED MESSAGE-----

[I am sending this to administrators of servers that I have noticed this
exploit is possible on when I was verifying which versions of HTTP server
software were vulnerable.  I will be releasing this Security Advisory
shortly to the named mailing lists.  Please contact me if you have any
questions about this matter. <jrichard@fix.net>--JR]

TO:

jtc@fix.net,
rwoolley@callamer.com,
shaug@callamer.com,
jarin@slonet.org,

netadmin@www.calpoly.edu, webmaster@www.calpoly.edu,
root@www.elee.calpoly.edu,

root@netscape.com,
root@www.teleport.com,
root@www.mit.edu,
root@java.sun.com,
root@www.cs.berkeley.edu,
root@sunsite.unc.edu,
root@www.marktwain.com,
root@www.csufresno.edu,
root@www.csu.net,
root@www.ca.gov,
root@www.io.org,
root@www.harvard.edu,
root@www.cdc.net,
root@www.digital.com,
root@www.usenix.org,
perry@jpunix.com, root@alias.net,
webadmin@www.best.com,
action@internic.net, webmaster@internic.net,
root@www.portal.com,
root@www.cray.com,
root@goldrush.com,
root@www.sgi.com,
root@ugu.com,
root@arbornet.org,
root@qnx.com,
root@ipswitch.com,
root@psi.net,
root@interramp.com,
root@novell.com,
root@shadow.cabi.net

Sent to:

BUGTRAQ@netspace.org		(BUGTRAQ mailing list)
apache-bugs@apache.org		(Apache HTTP bug report)
httpd@ncsa.uiuc.edu		(NCSA HTTP Development Group)
cert@cert.org			(CERT Advisory Report)
www-managers@lists.stanford.edu	(WWW Managers list)
2600@2600.com			(2600 Magazine: The Hacker Quarterly)
bugs@netscape.com		(Netscape Inc.)
================================================================================

                               The DataHaven Project
                            ____ SECURITY ADVISORY ____

                                <jrichard@fix.net>
                                 10 December 1996
================================================================================

Program(s): nph-test-cgi (a commonly installed sample CGI script)

Problems: Anyone can remotely view your filesystems via the web.

Extent/Severity: Majority of UNIX based Internet World Wide Web servers
                 are currently exploitable.

Date: 10 December 1996

Author: jrichard@fix.net (Josh Richards)

Description:

A security hole exists in the nph-test-cgi script included in most UNIX
based World Wide Web daemon distributions.  The nph-* scripts exist to
allow 'non-parsed headers' to be sent via the HTTP protocol (this is not
the cause of this security problem, though).  The problem is that
nph-test-cgi, which prints out information on the current web environment
(just like 'test-cgi' does) does not enclose its arguments to the 'echo'
command inside of quotes....shell escapes are not possible (or at least I
have not found them to be--yet) but shell *expansion* is....  This means
that _any_ remote user can easily browse your filesystem via the WWW.


Versions:

[PLEASE NOTE: These are only the ones that I have access to and could test
out and verify.--JR]

NCSA HTTP 1.3, 1.4, 1.4.1, 1.4.2, 1.5.1, 1.5.2
Apache HTTP 0.8.11, 0.8.14, 1.0.0, 1.0.2, 1.0.3, 1.0.5, 1.1.1, 1.2b2
Apache-SSL HTTP 1.0.5, 1.1.1
StrongHold 1.3.2 (basically Apache 1.1.1 + SSL extensions)
Netscape
   Communications 1.1, 1.12
   Enterprise 2.0a
   Commerce 1.12
BESTWWWD 1.0


Exploit:

Enter the URL: <http://yourwebserver.com/cgi-bin/nph-test-cgi?*>

Replace <yourwebserver.com> with the hostname of a server running a web
daemon near you.

[Please note that the asterisk ('*') on the end of the URL is very
important.]

Now look very closely look at the line beginning with "QUERY_STRING". 
Does it look familiar to you?  It should (if it doesn't you should really
spend a little more time looking at what is installed on your system).. 

Similar URL's such as <http://yourwebserver.com/cgi-bin/nph-test-cgi?/*>
will allow users to transverse the filesystem and view the contents of
other directories on your server.


History:

A similar bug was reported in a L0pht advisory (from mudge@l0pht.com) in
April 1996 with another (very similar) cgi script ('test-cgi') and it was
subsequently fixed in by most of the major distributions. See
<URL:http://www.l0pht.com/advisories/test-cgi-vulnerability> for more
information.


Fix:

Type 'chmod 700 nph-test-cgi' at your nearest shell prompt (as superuser). 

:-) 

If it is neccessary to have the script accessible (I don't know why it
would be though) then a a quick fix is to put quotes around all parameters
to 'echo'. 

A longer term fix is to disable shell 'globbing' completely.  This can be
accomplished with 'set -f' if you are using a bourne derived shell. 


Prevention:

Apply the above suggested fixes.  Watch your server's access_logs' for any
accesses to "/cgi-bin/nph-test-cgi" but doing a grep for "nph-test-cgi". 


Notes:

There are _many_ CGI scripts written (I am guilty of writing them myself) 
that do not check the input environment/variables enough.  Please check
your quickly-hacked-together-just-to-get-the-job-done shell scripts
carefully. UNIX can be powerful--too powerful for its (our?) own good
sometimes..


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMq5YvWm9zE6XY0w5AQGXrgP/X2DjjDQjKl2Aqpn0F/8AyTyLbt1x7IMu
vJrd03ykGQ47ukmcW5B+B7PsJh77gIRSMSm/xwoHMN0v/cUrXo8egfckXXGGqtpC
Hu+ioOVDtBqRHw1XsVyDdEkkb9pTyCnW6kmThthgDOYFXaqiflWKGyYvDehORDpT
TMmu/fJWT+g=
=GqD9
-----END PGP SIGNATURE-----


|   Josh Richards -- Network Admin/Tech Support @ ***The FIX Network***     |
|   <jrichard@FIX.Net> <jrichard@Freedom.Gen.Ca.Us> <jrichard@Slonet.Org>
  |
| <http://www.freedom.gen.ca.us/jrichard/>            Finger for my PGP Key |
|  - '"Anonymity is bad," says a source who wishes to remain anonymous.' -  |


----- End of forwarded message from Josh Richards -----

-- 
Rob Hartill.       Internet Movie Database Ltd.    http://www.imdb.com/  

Mime
View raw message