CGI Script Source Code Disclosure Vulnerability in Apache for Windows

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
From: susam.pal@xxxxxxxxx
Date: 9 Aug 2006 10:15:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

ADVISORY NAME:
CGI Script Source Code Disclosure Vulnerability in Apache for Windows

VULNERABLE SYSTEMS:
The vulnerability has been verified on Apache 2.2.2 running on Microsoft 
Windows XP, Version 2002, Service Pack 2.

FOUND BY:
Susam Pal

FOUND ON:
8th August, 2007

VULNERABILITY TYPE:
Information Disclosure

SYSTEM DESCRIPTION:
Apache HTTPD is a web server that can run on many platforms to provide 
web-service. The basic server configuration is controlled by the file 
'httpd.conf'. The 'DocumentRoot' directive controls which directory is 
considered to be root for serving documents. For instance:-

DocumentRoot "/home/webmaster/site/docroot/"

In the above example, a request to 'http://[target]/foo.html' would fetch the 
'foo.html' page from '/home/webmaster/site/docroot/' directory of the server.

The 'ScriptAlias' directive controls which directory contains server scripts. 
The following is an example of a typical 'ScriptAlias' directive:-

ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

If a user makes a direct request to 'http://[target]/cgi-bin/foo' where 
'cgi-bin' is the scripts' directory and 'foo' is the script, the user gets the 
output of the 'foo' script. In a secure system, the user is not supposed to 
view the source-code of 'foo' by making an HTTP GET request.

VULNERABILITY DESCRIPTION:
Usually the following directives in 'httpd.conf' file can be considered safe 
for Unix/Linux (assuming that other directives haven't been insanely edited):-

# Sample Safe Configuration for Unix/Linux
DocumentRoot "/home/webmaster/site/docroot/"
ScriptAlias /cgi-bin/ "/home/webmaster/site/docroot/cgi-bin"

But a similar configuration isn't safe in Windows. For instance:-

# Sample Unsafe Configuration for Windows
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and 
Settings/webmaster/site/docroot/cgi-bin/"

If the scripts' directory (represented by 'ScriptAlias') lies inside the 
document-root directory (represented by 'DocumentRoot') and the name of the 
script-alias is same as that of the directory containing the scripts then the 
attacker can obtain the source code of the CGI scripts by making a direct 
request to 'http://[target]/CGI-BIN/foo'.

Apache web-server checks for the exact case mentioned in the 'ScriptAlias' 
directive before deciding whether the directory mentioned in the HTTP GET 
request is a scripts' directory or not. So, when Apache web-server receives a 
request for a file in 'CGI-BIN' directory, it finds it to be different from 
'cgi-bin' mentioned in the 'ScriptAlias' directive. So, it concludes that it is 
not a script-alias. Then it checks for 'CGI-BIN' directory in the document-root 
directory and finds it since file-names and directory-names are not 
case-sensitive on Windows. So, it simply sends the content of the 'foo' file as 
the HTTP response. It doesn't execute the 'foo' script because it isn't found 
in a directory pointed by script-alias.

EXPLOIT:
The vulnerability can be exploited by making a direct request to 
http://[target]/CGI-BIN/foo

PREVENTION:
1. Choosing a name for the 'ScriptAlias' different from the name of the actual 
directory will reduce the risk. For instance,

# Sample Configuration for Reducing Risk
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and 
Settings/webmaster/site/docroot/sdy1x9y/"

The attacker can still get the source code by making a direct request to 
'http://[target]/sdy1x9y/foo' if the attacker can somehow determine that the 
'ScriptAlias /cgi-bin/' refers to the 'sdy1x9y' directory.

2. A more secure preventive measure would be to place the scripts folder 
outside the 'DocumentRoot' directory and then form a 'ScriptAlias' to it. For 
instance,

# Sample Configuration for Increased Security
DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/cgi-bin"

DISCLAIMER:
The information, codes and exploits in this advisory should be used for 
research, experimentation, bug-fixes and patch-releases only. The author shall 
not be liable in any event of any damages, incidental or consequential, in 
connection with, or arising out of this advisory, or its codes and exploits.

CONTACT INFORMATION:
For more information, please contact:- 

Susam Pal
Infosys Technologies Ltd.
Survey No. 210, Manikonda Village
Lingampally, Rangareddy District
Hyderabad, PIN 500019
India
Phone No.: +91-9985259521
Email: susam.pal@xxxxxxxxx
http://susampal.blogspot.com/
http://securecoding.blogspot.com/

Follow-Ups:
- Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
  - From: Joe Orton

Prev by Date: XennoBB <= "avatar gallery" Directory Transversal
Next by Date: Simple one-file GuestBook 1.0
Previous by thread: XennoBB <= "avatar gallery" Directory Transversal
Next by thread: Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Index(es):
- Date
- Thread