Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: cert0139.txt

CERT Advisory CA-97.07 nph-test-cgi script





-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-97.07
Original issue date: February 18, 1997
Last revised: February 21, 1997
	      Corrected organization names in acknowledgements.

Topic: Vulnerability in the httpd nph-test-cgi script
- -----------------------------------------------------------------------------

Because of ongoing activity relating to a vulnerability in the nph-test-cgi
script included with some http daemons, the CERT Coordination Center staff is
issuing this recommendation to check your cgi-bin directory. By exploiting
this vulnerability, users of Web clients can read a listing of files they are
not authorized to see.

The CERT/CC team recommends removing the script from your system and checking
Appendix A of this advisory for information provided by vendors.

We also urge you to read CERT advisory CA-96.06.cgi_example_code for
another CGI-related vulnerability that continues to be exploited.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     A vulnerability in the nph-test-cgi script included with some http
     daemons makes it possible for the users of Web clients to read a listing
     of files they are not authorized to read. This script is designed to
     display information about the Web server environment, but it parses data
     requests too liberally and thus allows a person to view a listing of
     arbitrary files on the Web server host.

II.  Impact

     By exploiting this vulnerability, remote users can read a listing of files
     they are not authorized to read. Access to an account on the system is
     not necessary.

III. Solution

     We recommend removing or disabling the nph-test-cgi script (see
     Sec. A). If you must keep the script, follow the suggestion in
     Sec. B. All readers should also check Appendix A for information supplied
     by vendors.

     A. Remove or disable the script

        Some World Wide Web servers include this script by default, but it is
        possible that some sites have installed this script manually.
        Therefore, we encourage all sites to check whether they have this
        script by searching for the file nph-test-cgi in the cgi-bin directory
        associated with their web server.

        If you find the script, we urge you to either remove the program
        itself or remove the execute permissions from the program. The
        nph-test-cgi program is not required to run httpd successfully.

        Also note that a web server may have multiple cgi-bin directories. It
        is not sufficient to look in the regular location only. For example,
        in the NCSA HTTPd server, you can specify alternate locations for the
        scripts by setting the ScriptAlias directive in the srm.conf file. See
        your vendor's documentation to learn if your sever provides this
        feature. If you are using this feature, you need to remove the
        nph-test-cgi script or apply the workaround below in every cgi-bin
        directory.

     B. Modify existing scripts

        If you must continue to use this test-cgi script, then we encourage
        you to search for lines of code that echo variables and ensure
        that the variable string to be echoed is quoted. For instance,
        lines of the form:

                echo QUERY_STRING = $QUERY_STRING

        should read

                echo QUERY_STRING = "$QUERY_STRING"

     C. Vendor Information

        Please check Appendix A for information supplied by vendors; we will
        update the appendix as we receive additional information. If you do not
        see your vendor's name, then we did not hear from that vendor. Please
        contact the vendor directly.

        Note: Even if your vendor did not ship the nph-test-cgi script,
              you should check your cgi-bin directory in case someone at your
              site added such a script later.

IV.  Additional Reading

     Several resources relating to Web security in general are available.
     The following resources provide a useful starting point. They include
     links describing general WWW security, secure httpd setup, and secure CGI
     programming.

        The World Wide Web Security FAQ:
                http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

        NSCA's "Security Concerns on the Web" Page:
                http://hoohoo.ncsa.uiuc.edu/security/

     The following book contains useful information, including sections on
     secure programming techniques.

       _Practical Unix & Internet Security_, Simson Garfinkel and
        Gene Spafford, 2nd edition, O'Reilly and Associates, 1996.

     (Note that we provide these pointers for your convenience. As this is not
     CERT/CC material, we cannot be responsible for content or availability.
     Please contact the administrators of the sites if you have difficulties
     with access.)

...........................................................................

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.

Apache
=====
   The latest version of Apache, 1.1.3, does not contain the nph-test-cgi
   cgi-script. The test-cgi script included with Apache 1.1.3 does
   contain the filename globbing bug, but does not ship enabled by
   default.


Apache-SSL
==========
   The current version of Apache-SSL is against 1.1.1, and so does not
   suffer from this problem. Also, Apache-SSL is distributed as patches
   to Apache, and so does not, in itself, contain any CGI scripts.


Stronghold
==========
   Stronghold 1.3.4 ships with no pre-installed CGI scripts.


Microsoft
=========
   With regard to NT/IIS we don't ship the script referenced.

   Also see recommendations at
      http://www.microsoft.com/intdev and http://www.microsoft.com/pdc


National Center for Supercomputing Applications
===============================================

   The NCSA(tm) HTTPd comes with a variety of test cgi scripts, including
   nph-test-cgi.  Also included are test-cgi, test-cgi.tcl, and test-env.
   These test scripts are readily identified by the word "test" in their
   names.  They have been provided at the request of our web server community
   to test the server installation and facilitate the development of cgi
   scripts.  When working perfectly they provide private information about the
   server and cgi environment.

   Test cgi programs are not intended to be left on an operational server.  If
   using the NCSA HTTPd server for operational use, many configuration issues
   must be addressed.  Among those issues is the use of cgi scripts.  No
   script should be run on a server that has not been carefully reviewed.
   This is especially true for the test scripts, which were never intended to
   be left on an operational server.

   Users of NCSA HTTPd should be running the most current version (1.5.2a) to
   ensure that security patches are implemented.  Test cgi scripts should be
   removed from cgi-bin directories before putting a server in operational
   use.

   Please see http://hoohoo.ncsa.uiuc.edu/security for further details on
   securely installing the NCSA HTTPd server.

   To report security vulnerabilities in NCSA products, email the NCSA
   Incident Response and Security Team (irst@ncsa.uiuc.edu).

   NCSA is a trademark of the University of Illinois Board of Trustees.


- -----------------------------------------------------------------------------
The CERT Coordination Center thanks David Kennedy of the National Computer
Security Association, Ken Rowe of the NCSA(tm) IRST, and Josh Richards for
providing information about this problem.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts).


CERT/CC Contact Information
- ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request@cert.org
   In the subject line, type
        SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.
- ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

February 21, 1997  Acknowledgements - corrected organization names.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMw4EFHVP+x0t4w7BAQG/awQAz/0bxgpFffdWh9FVMM8Fp9J45swP+/ZS
LY4ujfQVm5n8Qibxhy8Vk4ZhCRLO7pPE7X9PRuSm8MQF2ZWirttHhdVs1eK/8WrA
+HSo+Y1HXoybDr7wN7Sprn0d4ss5xM/VQHDsmOTtikq+FHEq6CvBf+2J8gqygFU1
HOYspVfMQ9E=
=qGBy
-----END PGP SIGNATURE-----



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH