Copy Link
Add to Bookmark
Report
CERT Advisory 139
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
CERT(sm) Advisory CA-97.07
Original issue date: February 18, 1997
Last revised: February 21, 1997
Corrected organization names in acknowledgements.
Topic: Vulnerability in the httpd nph-test-cgi script
- -----------------------------------------------------------------------------
Because of ongoing activity relating to a vulnerability in the nph-test-cgi
script included with some http daemons, the CERT Coordination Center staff is
issuing this recommendation to check your cgi-bin directory. By exploiting
this vulnerability, users of Web clients can read a listing of files they are
not authorized to see.
The CERT/CC team recommends removing the script from your system and checking
Appendix A of this advisory for information provided by vendors.
We also urge you to read CERT advisory CA-96.06.cgi_example_code for
another CGI-related vulnerability that continues to be exploited.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
I. Description
A vulnerability in the nph-test-cgi script included with some http
daemons makes it possible for the users of Web clients to read a listing
of files they are not authorized to read. This script is designed to
display information about the Web server environment, but it parses data
requests too liberally and thus allows a person to view a listing of
arbitrary files on the Web server host.
II. Impact
By exploiting this vulnerability, remote users can read a listing of files
they are not authorized to read. Access to an account on the system is
not necessary.
III. Solution
We recommend removing or disabling the nph-test-cgi script (see
Sec. A). If you must keep the script, follow the suggestion in
Sec. B. All readers should also check Appendix A for information supplied
by vendors.
A. Remove or disable the script
Some World Wide Web servers include this script by default, but it is
possible that some sites have installed this script manually.
Therefore, we encourage all sites to check whether they have this
script by searching for the file nph-test-cgi in the cgi-bin directory
associated with their web server.
If you find the script, we urge you to either remove the program
itself or remove the execute permissions from the program. The
nph-test-cgi program is not required to run httpd successfully.
Also note that a web server may have multiple cgi-bin directories. It
is not sufficient to look in the regular location only. For example,
in the NCSA HTTPd server, you can specify alternate locations for the
scripts by setting the ScriptAlias directive in the srm.conf file. See
your vendor's documentation to learn if your sever provides this
feature. If you are using this feature, you need to remove the
nph-test-cgi script or apply the workaround below in every cgi-bin
directory.
B. Modify existing scripts
If you must continue to use this test-cgi script, then we encourage
you to search for lines of code that echo variables and ensure
that the variable string to be echoed is quoted. For instance,
lines of the form:
echo QUERY_STRING = $QUERY_STRING
should read
echo QUERY_STRING = "$QUERY_STRING"
C. Vendor Information
Please check Appendix A for information supplied by vendors; we will
update the appendix as we receive additional information. If you do not
see your vendor's name, then we did not hear from that vendor. Please
contact the vendor directly.
Note: Even if your vendor did not ship the nph-test-cgi script,
you should check your cgi-bin directory in case someone at your
site added such a script later.
IV. Additional Reading
Several resources relating to Web security in general are available.
The following resources provide a useful starting point. They include
links describing general WWW security, secure httpd setup, and secure CGI
programming.
The World Wide Web Security FAQ:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
NSCA's "Security Concerns on the Web" Page:
http://hoohoo.ncsa.uiuc.edu/security/
The following book contains useful information, including sections on
secure programming techniques.
_Practical Unix & Internet Security_, Simson Garfinkel and
Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.
(Note that we provide these pointers for your convenience. As this is not
CERT/CC material, we cannot be responsible for content or availability.
Please contact the administrators of the sites if you have difficulties
with access.)
...........................................................................
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.
Apache
=====
The latest version of Apache, 1.1.3, does not contain the nph-test-cgi
cgi-script. The test-cgi script included with Apache 1.1.3 does
contain the filename globbing bug, but does not ship enabled by
default.
Apache-SSL
==========
The current version of Apache-SSL is against 1.1.1, and so does not
suffer from this problem. Also, Apache-SSL is distributed as patches
to Apache, and so does not, in itself, contain any CGI scripts.
Stronghold
==========
Stronghold 1.3.4 ships with no pre-installed CGI scripts.
Microsoft
=========
With regard to NT/IIS we don't ship the script referenced.
Also see recommendations at
http://www.microsoft.com/intdev and http://www.microsoft.com/pdc
National Center for Supercomputing Applications
===============================================
The NCSA(tm) HTTPd comes with a variety of test cgi scripts, including
nph-test-cgi. Also included are test-cgi, test-cgi.tcl, and test-env.
These test scripts are readily identified by the word "test" in their
names. They have been provided at the request of our web server community
to test the server installation and facilitate the development of cgi
scripts. When working perfectly they provide private information about the
server and cgi environment.
Test cgi programs are not intended to be left on an operational server. If
using the NCSA HTTPd server for operational use, many configuration issues
must be addressed. Among those issues is the use of cgi scripts. No
script should be run on a server that has not been carefully reviewed.
This is especially true for the test scripts, which were never intended to
be left on an operational server.
Users of NCSA HTTPd should be running the most current version (1.5.2a) to
ensure that security patches are implemented. Test cgi scripts should be
removed from cgi-bin directories before putting a server in operational
use.
Please see http://hoohoo.ncsa.uiuc.edu/security for further details on
securely installing the NCSA HTTPd server.
To report security vulnerabilities in NCSA products, email the NCSA
Incident Response and Security Team (irst@ncsa.uiuc.edu).
NCSA is a trademark of the University of Illinois Board of Trustees.
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks David Kennedy of the National Computer
Security Association, Ken Rowe of the NCSA(tm) IRST, and Josh Richards for
providing information about this problem.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts).
CERT/CC Contact Information
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
CERT is a service mark of Carnegie Mellon University.
- ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
February 21, 1997 Acknowledgements - corrected organization names.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMw4EFHVP+x0t4w7BAQG/awQAz/0bxgpFffdWh9FVMM8Fp9J45swP+/ZS
LY4ujfQVm5n8Qibxhy8Vk4ZhCRLO7pPE7X9PRuSm8MQF2ZWirttHhdVs1eK/8WrA
+HSo+Y1HXoybDr7wN7Sprn0d4ss5xM/VQHDsmOTtikq+FHEq6CvBf+2J8gqygFU1
HOYspVfMQ9E=
=qGBy
-----END PGP SIGNATURE-----