|
---------- Forwarded message ---------- Date: Fri, 22 Dec 1995 10:03:05 -0600 (CST) From: David Pratt <dpratt@msc.edu> To: www-security@ns2.rutgers.edu Subject: NCSA Httpd Security Hole December 22, 1995 I stumbled upon a security risk in NCSA's httpd Version 1.42. Under certain conditions, you can force the daemon to return the source code for any scripts contained in /cgi-bin. This behavior is not exhibited by Netscape's, or CERN's daemon. It appears that this behavior is also present in Version 1.5 as the pertinent source code is identical. I do not have that version running, so it is not possible to test it directly. This security hole only presents itself for systems with cgi-bin directories contained within their DocumentRoot directories. You can access the source code by adding multiple "/" preceeding the cgi-bin portion of the URL. If indexing is turned on, you can get a full listing of all files within the cgi-bin directory. Example URL's follow: URL: http://www.foo.com//cgi-bin/ URL: http://www.foo.com///cgi-bin/man.pl The daemon fails to detect this as a cgi-bin redirect, then parses the file ///cgi-bin/man.pl from your document root. Since the multiple slashes are legal syntax in UNIX, the daemon returns the file as straight text. This provides potential hackers a glimpse at what measures you have taken (or haven't taken) to thwart their access. In perusing the httpd source, the problem appears located in routine "translate_name" in file "http_alias.c". An alias table is built up for string comparisons with the incoming URL. At startup, this table is loaded with the value of ScriptAlias in your configuration files, generally "/cgi-bin". Comparing "/cgi-bin" with "//cgi-bin" fails, and the file is returned to the browser as straight text. The short term workaround is listed below. Basically, the URL is scanned for multiple slashes as far up the processing pipeline as possible. As far as I can determine, this is within function "unescape_url" in file "util.c". void unescape_url(char *url) { register int x,y; /* * Remove multiple slashes in URL in place. */ char *src = url; char *dest = url; for (; src && *src; src++) { if (*src == '/' && *(src+1) == '/') continue; *dest++ = *src; } *dest = '\0'; /* * End Modification */ for(x=0,y=0;url[y];++x,++y) { if((url[x] = url[y]) == '%') { url[x] = x2c(&url[y+1]); y+=2; } } url[x] = '\0'; } Remember, this hole is ONLY seen if your cgi-bin directory is located in your DocumentRoot directory. For those of you with systems configured like this, and I have seen a lot, sorry to ruin your plans for cutting out early for Christmas. -- Dave Pratt dpratt@msc.edu (612)337-3534 Minnesota Supercomputer Center Inc. Graphics and Visualization Group 1200 Washington Avenue South Minneapolis, MN 55415