TUCoPS :: Unix :: General :: httpdhol.txt

NCSA httpd security hole
 

---------- Forwarded message ----------
Date: Fri, 22 Dec 1995 10:03:05 -0600 (CST)
From: David Pratt <dpratt@msc.edu>
To: www-security@ns2.rutgers.edu
Subject: NCSA Httpd Security Hole

December 22, 1995

  I stumbled upon a security risk in NCSA's httpd Version 1.42.
Under certain conditions, you can force the daemon to return the
source code for any scripts contained in /cgi-bin.  This behavior
is not exhibited by Netscape's, or CERN's daemon.  It appears that
this behavior is also present in Version 1.5 as the pertinent
source code is identical.  I do not have that version running, so
it is not possible to test it directly.
  This security hole only presents itself for systems with cgi-bin
directories contained within their DocumentRoot directories.  You
can access the source code by adding multiple "/" preceeding the
cgi-bin portion of the URL.  If indexing is turned on, you can
get a full listing of all files within the cgi-bin directory.
Example URL's follow:
  
     URL:    http://www.foo.com//cgi-bin/
     URL:    http://www.foo.com///cgi-bin/man.pl

  The daemon fails to detect this as a cgi-bin redirect, then
parses the file ///cgi-bin/man.pl from your document root.  Since
the multiple slashes are legal syntax in UNIX, the daemon returns
the file as straight text.  This provides potential hackers a
glimpse at what measures you have taken (or haven't taken) to
thwart their access.
  In perusing the httpd source, the problem appears located in
routine "translate_name" in file "http_alias.c".  An alias table
is built up for string comparisons with the incoming URL.  At
startup, this table is loaded with the value of ScriptAlias in
your configuration files, generally "/cgi-bin".  Comparing
"/cgi-bin" with "//cgi-bin" fails, and the file is returned to
the browser as straight text.
  The short term workaround is listed below.  Basically, the URL
is scanned for multiple slashes as far up the processing pipeline
as possible.  As far as I can determine, this is within function
"unescape_url" in file "util.c".
 


void unescape_url(char *url) {
    register int x,y;
/* 
 *  Remove multiple slashes in URL in place.
 */
    char *src  = url;
    char *dest = url;

    for (; src && *src; src++) {
      if (*src == '/' && *(src+1) == '/') continue;
      *dest++ = *src;
    }
    *dest = '\0';
/*
 *  End Modification
 */

    for(x=0,y=0;url[y];++x,++y) {
        if((url[x] = url[y]) == '%') {
            url[x] = x2c(&url[y+1]);
            y+=2;
        }
    }
    url[x] = '\0';
}


Remember, this hole is ONLY seen if your cgi-bin directory is
located in your DocumentRoot directory.  For those of you with
systems configured like this, and I have seen a lot, sorry to
ruin your plans for cutting out early for Christmas.

-- 

  Dave Pratt 
  dpratt@msc.edu  (612)337-3534
  Minnesota Supercomputer Center Inc.
  Graphics and Visualization Group        
  1200 Washington Avenue South
  Minneapolis, MN  55415

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH