Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] CGI Script Source Code Disclosure Vulnerability in Apache for Windo

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date: 21 Aug 2006 09:20:14 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CGI Script Source Code Disclosure Vulnerability in Apache for Windows
------------------------------------------------------------------------


SUMMARY

Apache  <http://www.apache.org/> HTTPD is "a web server that can run on 
many platforms to provide web-service". A vulnerability in Apache running 
on Windows allows remote attackers to disclose the content of files 
located on the remote machine.

DETAILS

Vulnerable Systems:
 * Apache 2.2.2 running on Microsoft Windows XP, Version 2002, Service 
Pack 2

Background:
The basic server configuration is controlled by the file 'httpd.conf'. The 
'DocumentRoot' directive controls which directory is considered to be root 
for serving documents. For instance:
DocumentRoot "/home/webmaster/site/docroot/"

In the above example, a request to 'http://[target]/foo.html' would fetch 
the 'foo.html' page from '/home/webmaster/site/docroot/' directory of the 
server.

The 'ScriptAlias' directive controls which directory contains server 
scripts. The following is an example of a typical 'ScriptAlias' directive:
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

If a user makes a direct request to 'http://[target]/cgi-bin/foo' where 
'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets 
the output of the 'foo' script. In a secure system, the user is not 
supposed to view the source-code of 'foo' by making an HTTP GET request.

Vulnerability description:
Usually the following directives in 'httpd.conf' file can be considered 
safe for Unix/Linux (assuming that other directives haven't been insanely 
edited):
# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

But a similar configuration isn't safe in Windows. For instance:
# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and 
Settings/webmaster/site/docroot/cgi-bin/"

If the scripts' directory (represented by 'ScriptAlias') lies inside the 
document-root directory (represented by 'DocumentRoot') and the name of 
the script-alias is same as that of the directory containing the scripts 
then the attacker can obtain the source code of the CGI scripts by making 
a direct request to 'http://[target]/CGI-BIN/foo'.

Apache web-server checks for the exact case mentioned in the 'ScriptAlias' 
directive before deciding whether the directory mentioned in the HTTP GET 
request is a scripts' directory or not. So, when Apache web-server 
receives a request for a file in 'CGI-BIN' directory, it finds it to be 
different from 'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it 
concludes that it is not a script-alias. Then it checks for 'CGI-BIN' 
directory in the document-root directory and finds it since file-names and 
directory-names are not case-sensitive on Windows. So, it simply sends the 
content of the 'foo' file as the HTTP response. It doesn't execute the 
'foo' script because it isn't found in a directory pointed by 
script-alias.

Exploit:
The vulnerability can be exploited by making a direct request to 
http://[target]/CGI-BIN/foo

Prevention:
1. Choosing a name for the 'ScriptAlias' different from the name of the 
actual directory will reduce the risk. For instance,
# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and 
Settings/webmaster/site/docroot/sdy1x9y/"

The attacker can still get the source code by making a direct request to 
'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that 
the 'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.

2. A more secure preventive measure would be to place the scripts folder 
outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. 
For instance,
# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"


ADDITIONAL INFORMATION

The information has been provided by  <mailto:susam.pal@gmail.com> Susam 
Pal.
The original article can be found at:  <http://susampal.blogspot.com/> 
http://susampal.blogspot.com/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] CGI Script Source Code Disclosure Vulnerability in Apache for Windows, SecuriTeam <=
Previous by Date:  [NEWS] Netscape Concurrency-related Memory Corruption Vulnerability, SecuriTeam
Next by Date:  [NT] Breaking EnCase - Hiding Deleted Files From EnCase, SecuriTeam
Previous by Thread:  [NEWS] Netscape Concurrency-related Memory Corruption Vulnerability, SecuriTeam
Next by Thread:  [NT] Breaking EnCase - Hiding Deleted Files From EnCase, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]