TUCoPS :: Web :: Apache :: ciacg020.txt

NCSA And Apache Httpd Vulnerability


                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                 Vulnerability in NCSA and Apache httpd Servers

April 16, 1996 18:00 GMT                                           Number G-20
PROBLEM:       A vulnerability exists in the httpd servers provided by NCSA
               and the Apache organization
PLATFORM:      All systems capable of running either httpd
DAMAGE:        A user can potentially gain the same access privileges as the
               httpd server
SOLUTION:      For NCSA httpd, upgrade to the lates version; For Apache httpd,
               install the patch described below
VULNERABILITY  This vulnerability can lead to compromise of a web server

[ Start IBM Bulletin ]

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE

16 April 1996 16:00 GMT                          Number: ERS-SVA-E01-1996:002.2
                        UPDATE TO ERS-SVA-E01-1996:002.1

I. Description

This Security Vulnerability Alert provides updated information about
the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability
described in ERS-SVA-E01-1996:002.1, which was released on 26 February

ERS-SVA-E01-1996:002.1 described a vulnerabilty in the
escape_shell_cmd() function contained in the Common Gateway Interface
sample code file "cgi-src/util.c", provided with NCSA HTTPD Version
1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier.  This
vulnerabilty allowed a malicious user to embed the newline character
(Hexadecimal 0A) in a query, allowing an arbitrary shell command to be
executed by the HTTPD server.

IBM-ERS has learned that the escape_shell_command() function is also
contained in the server source code file, "src/util.c".  Note that the files
"src/util.c" and "cgi-src/util.c" are not identical, however they contain
identical copies of the escape_shell_command() function.  The file
"src/util.c" is used to build the HTTPD server; therefore the "newline"
vulnerability exists in the server itself.

II. Impact

A malicious user who knows how to exercise this vulnerability may have
the ability to:

  1. Execute arbitrary commands on the server host using the same
     user-id as the user running the "httpd" server.  If "httpd" is
     being run as "root," the unauthorized commands are also run as

  2. Access any file on the system that is accessible to the user-id
     that is running the "httpd" server.  If the "httpd" server
     user-id has read access to the file, the attacker can also read
     the file.  If the "httpd" server user-id has write access to the
     file, the attacker can change or destroy the contents of the
     file.  If the "httpd" server is being run as "root," the attacker
     can read, modify, or destroy any file on the server host.

  3. Given an X11-based terminal emulator ("xterm" or equivalent)
     installed on the "httpd" server host, gain full interactive
     access to the server host just as if he were logging in locally.

III. Solutions

IBM-ERS recommends that you consider taking the following actions
(subject to any licensing restrictions that may apply to your copies
of the programs):

1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not
   contain this vulnerability.

   NCSA HTTPD Version 1.5 is available from:


2. If you are using Apache HTTPD, locate the escape_shell_command()
   function in the file "src/util.c" (approximately line 430).  In
   that function, the line that reads

     if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){

   should be changed to read

     if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){

   The server should then be recompiled, reinstalled, and restarted.

IV. Acknowledgements

IBM-ERS would like to thank the NASA Automated Systems Incident
Response Capability (NASIRC) for providing the information contained
in this update.  NASIRC in turn acknowledges Ken Bell of NASA Goddard
Institute for Sapce Studies for bringing this vulnerability to their
attention, and the NCSA HTTPD Development Team for confirming the
problem and the fix.

IBM-ERS would also like to thank Jennifer Myers, a post-doctoral
fellow at Northwestern University, who originally discovered the
vulnerability described in ERS-SVA-E01-1996:002.1, and made public the
description of the problem and its solution.  This acknowledgement was
omitted from the original alert.


Copyright 1996 International Business Machines Corporation.

[ End IBM Bulletin ]


CIAC wishes to acknowledge the contributions of IBM Emergency Response
Service (IBM-ERS), and those they attribute, for the information
contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the National Institutes of Health (NIH). CIAC is located at
the Lawrence Livermore National Laboratory in Livermore,
California. CIAC is also a founding member of FIRST, the Forum of
Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer
security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

(G-10a) Winword Macro Viruses
(G-11)  HP Syslog Vulnerability
(G-12)  SGI ATT Packaging Utility Security Vulnerability
(G-13)  Kerberos Version 4 Key Server Vulnerability
(G-14)  Domain Name Service Vulnerabilities
(G-15)  Sunsoft Demo CD Vulnerability
(G-16)  SGI rpc.statd Program Security Vulnerabilities
(G-17)  Vulnerabilities in Sample HTTPD CGIs
(G-18)  Digital OSF/1 dxconsole Security Vulnerability
(G-19)  IBM AIX rmail Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released, 
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH