exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cgiDisclose.txt

cgiDisclose.txt
Posted Aug 27, 2006
Authored by Susam Pal | Site susampal.blogspot.com

A CGI script source disclosure flaw exists for Apache version 2.2.2 on Windows.

tags | advisory, cgi
systems | windows
SHA-256 | a6a0387f2d698b421275702177e3014a3695f9a3e2da9e7277cbf89bc1d9d223

cgiDisclose.txt

Change Mirror Download
ADVISORY NAME:
CGI Script Source Code Disclosure Vulnerability in Apache for Windows

VULNERABLE SYSTEMS:
The vulnerability has been verified on Apache 2.2.2 running on Microsoft Windows XP, Version 2002, Service Pack 2.

FOUND BY:
Susam Pal

FOUND ON:
8th August, 2007

VULNERABILITY TYPE:
Information Disclosure

SYSTEM DESCRIPTION:
Apache HTTPD is a web server that can run on many platforms to provide web-service. The basic server configuration is controlled by the file 'httpd.conf'. The 'DocumentRoot' directive controls which directory is considered to be root for serving documents. For instance:-

DocumentRoot "/home/webmaster/site/docroot/"

In the above example, a request to 'https://[target]/foo.html' would fetch the 'foo.html' page from '/home/webmaster/site/docroot/' directory of the server.

The 'ScriptAlias' directive controls which directory contains server scripts. The following is an example of a typical 'ScriptAlias' directive:-

ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

If a user makes a direct request to 'https://[target]/cgi-bin/foo' where 'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the output of the 'foo' script. In a secure system, the user is not supposed to view the source-code of 'foo' by making an HTTP GET request.

VULNERABILITY DESCRIPTION:
Usually the following directives in 'httpd.conf' file can be considered safe for Unix/Linux (assuming that other directives haven't been insanely edited):-

# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

But a similar configuration isn't safe in Windows. For instance:-

# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/"

If the scripts' directory (represented by 'ScriptAlias') lies inside the document-root directory (represented by 'DocumentRoot') and the name of the script-alias is same as that of the directory containing the scripts then the attacker can obtain the source code of the CGI scripts by making a direct request to 'https://[target]/CGI-BIN/foo'.

Apache web-server checks for the exact case mentioned in the 'ScriptAlias' directive before deciding whether the directory mentioned in the HTTP GET request is a scripts' directory or not. So, when Apache web-server receives a request for a file in 'CGI-BIN' directory, it finds it to be different from 'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root directory and finds it since file-names and directory-names are not case-sensitive on Windows. So, it simply sends the content of the 'foo' file as the HTTP response. It doesn't execute the 'foo' script because it isn't found in a directory pointed by script-alias.

EXPLOIT:
The vulnerability can be exploited by making a direct request to https://[target]/CGI-BIN/foo

PREVENTION:
1. Choosing a name for the 'ScriptAlias' different from the name of the actual directory will reduce the risk. For instance,

# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/sdy1x9y/"

The attacker can still get the source code by making a direct request to 'https://[target]/sdy1x9y/foo' if the attacker can somehow determine that the 'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.

2. A more secure preventive measure would be to place the scripts folder outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For instance,

# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"

DISCLAIMER:
The information, codes and exploits in this advisory should be used for research, experimentation, bug-fixes and patch-releases only. The author shall not be liable in any event of any damages, incidental or consequential, in connection with, or arising out of this advisory, or its codes and exploits.

CONTACT INFORMATION:
For more information, please contact:-

Susam Pal
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
India
Phone No.: +91-9985259521
Email: susam.pal@gmail.com
https://susampal.blogspot.com/
https://securecoding.blogspot.com/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close