[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in the httpd nph-test-cgi script

Title: Vulnerability in the httpd nph-test-cgi script
Released by: CERT
Date: 18th February 1997
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=============================================================================

CERT(sm) Advisory CA-97.07

Original issue date: February 18, 1997

Last Revised: September 26, 1997

              Updated copyright statement



              A complete revision history is at the end of this file.



Topic: Vulnerability in the httpd nph-test-cgi script

- -----------------------------------------------------------------------------



Because of ongoing activity relating to a vulnerability in the nph-test-cgi

script included with some http daemons, the CERT Coordination Center staff is

issuing this recommendation to check your cgi-bin directory. By exploiting

this vulnerability, users of Web clients can read a listing of files they are

not authorized to see.



The CERT/CC team recommends removing the script from your system and checking

Appendix A of this advisory for information provided by vendors.



We also urge you to read CERT advisory CA-96.06.cgi_example_code for

another CGI-related vulnerability that continues to be exploited.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.   Description



     A vulnerability in the nph-test-cgi script included with some http

     daemons makes it possible for the users of Web clients to read a listing

     of files they are not authorized to read. This script is designed to

     display information about the Web server environment, but it parses data

     requests too liberally and thus allows a person to view a listing of

     arbitrary files on the Web server host.



II.  Impact



     By exploiting this vulnerability, remote users can read a listing of files

     they are not authorized to read. Access to an account on the system is

     not necessary.



III. Solution



     We recommend removing or disabling the nph-test-cgi script (see

     Sec. A). If you must keep the script, follow the suggestion in

     Sec. B. All readers should also check Appendix A for information supplied

     by vendors.



     A. Remove or disable the script



        Some World Wide Web servers include this script by default, but it is

        possible that some sites have installed this script manually.

        Therefore, we encourage all sites to check whether they have this

        script by searching for the file nph-test-cgi in the cgi-bin directory

        associated with their web server.



        If you find the script, we urge you to either remove the program

        itself or remove the execute permissions from the program. The

        nph-test-cgi program is not required to run httpd successfully.



        Also note that a web server may have multiple cgi-bin directories. It

        is not sufficient to look in the regular location only. For example,

        in the NCSA HTTPd server, you can specify alternate locations for the

        scripts by setting the ScriptAlias directive in the srm.conf file. See

        your vendor's documentation to learn if your sever provides this

        feature. If you are using this feature, you need to remove the

        nph-test-cgi script or apply the workaround below in every cgi-bin

        directory.



     B. Modify existing scripts



        If you must continue to use this test-cgi script, then we encourage

        you to search for lines of code that echo variables and ensure

        that the variable string to be echoed is quoted. For instance,

        lines of the form:



                echo QUERY_STRING = $QUERY_STRING



        should read



                echo QUERY_STRING = "$QUERY_STRING"



     C. Vendor Information



        Please check Appendix A for information supplied by vendors; we will

        update the appendix as we receive additional information. If you do not

        see your vendor's name, then we did not hear from that vendor. Please

        contact the vendor directly.



        Note: Even if your vendor did not ship the nph-test-cgi script,

              you should check your cgi-bin directory in case someone at your

              site added such a script later.



IV.  Additional Reading



     Several resources relating to Web security in general are available.

     The following resources provide a useful starting point. They include

     links describing general WWW security, secure httpd setup, and secure CGI

     programming.



        The World Wide Web Security FAQ:

                http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html



        NSCA's "Security Concerns on the Web" Page:

                http://hoohoo.ncsa.uiuc.edu/security/



     The following book contains useful information, including sections on

     secure programming techniques.



       _Practical Unix & Internet Security_, Simson Garfinkel and

        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.



     (Note that we provide these pointers for your convenience. As this is not

     CERT/CC material, we cannot be responsible for content or availability.

     Please contact the administrators of the sites if you have difficulties

     with access.)



...........................................................................



Appendix A - Vendor Information



Below is a list of the vendors who have provided information for this

advisory. We will update this appendix as we receive additional information.

If you do not see your vendor's name, the CERT/CC did not hear from that

vendor. Please contact the vendor directly.



Apache

=====

   The latest version of Apache, 1.1.3, does not contain the nph-test-cgi

   cgi-script. The test-cgi script included with Apache 1.1.3 does

   contain the filename globbing bug, but does not ship enabled by

   default.





Apache-SSL

==========

   The current version of Apache-SSL is against 1.1.1, and so does not

   suffer from this problem. Also, Apache-SSL is distributed as patches

   to Apache, and so does not, in itself, contain any CGI scripts.





Stronghold

==========

   Stronghold 1.3.4 ships with no pre-installed CGI scripts.





Microsoft

=========

   With regard to NT/IIS we don't ship the script referenced.



   Also see recommendations at

      http://www.microsoft.com/intdev and http://www.microsoft.com/pdc





National Center for Supercomputing Applications

===============================================



   The NCSA(tm) HTTPd comes with a variety of test cgi scripts, including

   nph-test-cgi.  Also included are test-cgi, test-cgi.tcl, and test-env.

   These test scripts are readily identified by the word "test" in their

   names.  They have been provided at the request of our web server community

   to test the server installation and facilitate the development of cgi

   scripts.  When working perfectly they provide private information about the

   server and cgi environment.



   Test cgi programs are not intended to be left on an operational server.  If

   using the NCSA HTTPd server for operational use, many configuration issues

   must be addressed.  Among those issues is the use of cgi scripts.  No

   script should be run on a server that has not been carefully reviewed.

   This is especially true for the test scripts, which were never intended to

   be left on an operational server.



   Users of NCSA HTTPd should be running the most current version (1.5.2a) to

   ensure that security patches are implemented.  Test cgi scripts should be

   removed from cgi-bin directories before putting a server in operational

   use.



   Please see http://hoohoo.ncsa.uiuc.edu/security for further details on

   securely installing the NCSA HTTPd server.



   To report security vulnerabilities in NCSA products, email the NCSA

   Incident Response and Security Team (irst@ncsa.uiuc.edu).



   NCSA is a trademark of the University of Illinois Board of Trustees.





- -----------------------------------------------------------------------------

The CERT Coordination Center thanks David Kennedy of the National Computer

Security Association, Ken Rowe of the NCSA(tm) IRST, and Josh Richards for

providing information about this problem.

- -----------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://info.cert.org/pub/FIRST/first-contacts).





CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.



Fax      +1 412-268-6989



Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890

         USA



Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key

         http://info.cert.org/pub/CERT_PGP.key



Getting security information

   CERT publications and other security information are available from

        http://www.cert.org/

        http://info.cert.org/pub/



   CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



   To be added to our mailing list for advisories and bulletins, send

   email to

        cert-advisory-request@cert.org

   In the subject line, type

        SUBSCRIBE  your-email-address





- ------------------------------------------------------------------------------



Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



- ---------------------------------------------------------------------------



This file: http://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script

           http://www.cert.org

               click on "CERT Advisories"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



September 26, 1997,  Updated copyright statement

February 21, 1997  Acknowledgements - corrected organization names.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS/ZVr9kb5qlZHQEQIyjwCeLW2KmK2S8YhBrNIM3Eu7Jf9k+/AAnjRD

mDO/3pivExMl4sdMnTeech/W

=QAvG

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.