Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows

[Joe Orton <jorton@xxxxxxxxxx>]

On Wed, Aug 09, 2006 at 10:15:42AM -0000, susam.pal@xxxxxxxxx wrote:
> ADVISORY NAME:
> CGI Script Source Code Disclosure Vulnerability in Apache for Windows
...
> But a similar configuration isn't safe in Windows. For instance:-
> 
> # Sample Unsafe Configuration for Windows
> DocumentRoot "C:/Documents and Settings/webmaster/site/docroot"
> ScriptAlias /cgi-bin/ "C:/Documents and 
> Settings/webmaster/site/docroot/cgi-bin/"
> 
> If the scripts' directory (represented by 'ScriptAlias') lies inside
> the document-root directory (represented by 'DocumentRoot') and the
> name of the script-alias is same as that of the directory containing
> the scripts then the attacker can obtain the source code of the CGI
> scripts by making a direct request to 'http://[target]/CGI-BIN/foo'.

This is not a security vulnerability in the server, but rather a serious
misconfiguration of the ScriptAlias Directive.  ScriptAlias exists to
allow CGI scripts to be stored in a directory outside of the document
tree.  Common convention is never to include cgi-bin within the document
tree.

Regards,
Joe Orton