CGI Script Source Code Disclosure Vulnerability in Apache for Windows
ADVISORY NAME:
CGI Script Source Code Disclosure Vulnerability in Apache for Windows
VULNERABLE SYSTEMS:
The vulnerability has been verified on Apache 2.2.2 running on Microsoft
Windows XP, Version 2002, Service Pack 2.
FOUND BY:
Susam Pal
FOUND ON:
8th August, 2007
VULNERABILITY TYPE:
Information Disclosure
SYSTEM DESCRIPTION:
Apache HTTPD is a web server that can run on many platforms to provide
web-service. The basic server configuration is controlled by the file
'httpd.conf'. The 'DocumentRoot' directive controls which directory is
considered to be root for serving documents. For instance:-
DocumentRoot "/home/webmaster/site/docroot/"
In the above example, a request to 'http://[target]/foo.html' would fetch the
'foo.html' page from '/home/webmaster/site/docroot/' directory of the server.
The 'ScriptAlias' directive controls which directory contains server scripts.
The following is an example of a typical 'ScriptAlias' directive:-
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"
If a user makes a direct request to 'http://[target]/cgi-bin/foo' where
'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the
output of the 'foo' script. In a secure system, the user is not supposed to
view the source-code of 'foo' by making an HTTP GET request.
VULNERABILITY DESCRIPTION:
Usually the following directives in 'httpd.conf' file can be considered safe
for Unix/Linux (assuming that other directives haven't been insanely edited):-
# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"
But a similar configuration isn't safe in Windows. For instance:-
# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and
Settings/webmaster/site/docroot/cgi-bin/"
If the scripts' directory (represented by 'ScriptAlias') lies inside the
document-root directory (represented by 'DocumentRoot') and the name of the
script-alias is same as that of the directory containing the scripts then the
attacker can obtain the source code of the CGI scripts by making a direct
request to 'http://[target]/CGI-BIN/foo'.
Apache web-server checks for the exact case mentioned in the 'ScriptAlias'
directive before deciding whether the directory mentioned in the HTTP GET
request is a scripts' directory or not. So, when Apache web-server receives a
request for a file in 'CGI-BIN' directory, it finds it to be different from
'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is
not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root
directory and finds it since file-names and directory-names are not
case-sensitive on Windows. So, it simply sends the content of the 'foo' file as
the HTTP response. It doesn't execute the 'foo' script because it isn't found
in a directory pointed by script-alias.
EXPLOIT:
The vulnerability can be exploited by making a direct request to
http://[target]/CGI-BIN/foo
PREVENTION:
1. Choosing a name for the 'ScriptAlias' different from the name of the actual
directory will reduce the risk. For instance,
# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and
Settings/webmaster/site/docroot/sdy1x9y/"
The attacker can still get the source code by making a direct request to
'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that the
'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.
2. A more secure preventive measure would be to place the scripts folder
outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For
instance,
# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"
DISCLAIMER:
The information, codes and exploits in this advisory should be used for
research, experimentation, bug-fixes and patch-releases only. The author shall
not be liable in any event of any damages, incidental or consequential, in
connection with, or arising out of this advisory, or its codes and exploits.
CONTACT INFORMATION:
For more information, please contact:-
Susam Pal
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
India
Phone No.: +91-9985259521
Email: susam.pal@xxxxxxxxx
http://susampal.blogspot.com/
http://securecoding.blogspot.com/