| CGI Script Source Code Disclosure Vulnerability in Apache for Windows |
|
|
|
| Written by Marcelo Almeida (Vympel) | |||||
| Friday, 11 August 2006 | |||||
|
VULNERABLE SYSTEMS: FOUND BY: Susam Pal FOUND ON: 8th August, 2007 VULNERABILITY TYPE: Information Disclosure SYSTEM DESCRIPTION: Apache HTTPD is a web server that can run on many platforms to provide web-service... The basic server configuration is controlled by the file 'httpd.conf'. The 'DocumentRoot' directive controls which directory is considered to be root for serving documents. For instance:- DocumentRoot "/home/webmaster/site/docroot/" In the above example, a request to 'http://[target]/foo.html' would fetch the 'foo.html' page from '/home/webmaster/site/docroot/' directory of the server. The 'ScriptAlias' directive controls which directory contains server scripts. The following is an example of a typical 'ScriptAlias' directive:- ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin" If a user makes a direct request to 'http://[target]/cgi-bin/foo' where 'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the output of the 'foo' script. In a secure system, the user is not supposed to view the source-code of 'foo' by making an HTTP GET request. VULNERABILITY DESCRIPTION: # Sample Safe Configuration for Unix/Linux But a similar configuration isn't safe in Windows. For instance:- # Sample Unsafe Configuration for Windows If the scripts' directory (represented by 'ScriptAlias') lies inside the document-root directory (represented by 'DocumentRoot') and the name of the script-alias is same as that of the directory containing the scripts then the attacker can obtain the source code of the CGI scripts by making a direct request to 'http://[target]/CGI-BIN/foo'. Apache web-server checks for the exact case mentioned in the 'ScriptAlias' directive before deciding whether the directory mentioned in the HTTP GET request is a scripts' directory or not. So, when Apache web-server receives a request for a file in 'CGI-BIN' directory, it finds it to be different from 'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root directory and finds it since file-names and directory-names are not case-sensitive on Windows. So, it simply sends the content of the 'foo' file as the HTTP response. It doesn't execute the 'foo' script because it isn't found in a directory pointed by script-alias. EXPLOIT: PREVENTION: # Sample Configuration for Reducing Risk The attacker can still get the source code by making a direct request to 'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that the 'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory. 2. A more secure preventive measure would be to place the scripts folder outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For instance, # Sample Configuration for Increased Security DISCLAIMER: CONTACT INFORMATION: Infosys Technologies Ltd. Survey No. 210, Manikonda Village Lingampally, Rangareddy District Hyderabad, PIN 500019 India Phone No.: +91-9985259521 Email: susam.pal_at_gmail.com http://susampal.blogspot.com/ http://securecoding.blogspot.com/ Original article
Powered by a Zone-H(ified) version of AkoComment 3.0! DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice. |
|||||
| < Prev | Next > |
|---|
