[2202] in WWW Security List Archive
Re: BoS: CERT Advisory CA-96.11 - Interpreters in CGI bin Directories
daemon@ATHENA.MIT.EDU (Gary Meltzer)
Tue Jun 4 09:51:47 1996
From: garym@softshore.com.au (Gary Meltzer)
To: David Kennedy <76702.3557@compuserve.com>
Cc: World Wide Web Security <WWW-SECURITY@ns2.rutgers.edu>
Date: Tue, 04 Jun 1996 08:29:08 GMT
In-Reply-To: <960529221557_76702.3557_CHN54-1@CompuServe.COM>
Errors-To: owner-www-security@ns2.rutgers.edu
[The softshore.com.au zone was broken from ~ June 3 to 4. Apologies to
anyone who tried to email me then.]
>=============================================================================
>CERT(sm) Advisory CA-96.11
>May 29, 1996
>
>Topic: Interpreters in CGI bin Directories
>- -----------------------------------------------------------------------------
>
>Many sites that maintain a Web server support CGI programs. Often these
>programs are scripts that are run by general-purpose interpreters, such as
>/bin/sh or PERL. If the interpreters are located in the CGI bin directory
>along with the associated scripts, intruders can access the interpreters
>directly and arrange to execute arbitrary commands on the Web server system.
Please Note, the www-security FAQ reported that Ian Redfern
<redferni@logica.com> found a similar problem under NT with CGI
batch-files. How do items get promoted from the FAQ to CERT?
This is significant, as invoking the PERL script through a batch-file
has been advised as an alternative where extension-association is not
implemented by the web-server.
Under NT, I have found that putting "exit" at the end of the batch-file is
a defence.
Documentation on a possible wider defence for NT is at:
http://www.softshore.com.au/cgi-bin/PEARL.BAT?
>This problem has been widely discussed in several forums. Unfortunately, some
>sites have not corrected it.
Neither has at least one vendor.
>The CERT Coordination Center recommends that you never put interpreters in a
>Web server's CGI bin directory.
It's also a bad place for shells and defenceless batch-files.
Also, under at least one NT web-server, this applied to sub-directories
under cgi-bin.
>...
I also have a concern about the following perl command-line:
perl -w -e.pl "print 'hello world';"
where -e.pl does not exist. From NT CMD.EXE and a Linux shell, this
runs without warnings.
Can somebody test whether this form leaks through extension-associating
web-servers, by using something like:
http://www.somewhere/cgi-bin/-e.pl?print%20%27Content-type%3A%20text%2Fplain%0D%0Ahello%20world%27%3B
Hopefully all the servers check for the existence of the file first?
Even so, this is a hole for system administrators to be aware of, as
virtual-domain webmasters could upload such a trojan horse.
And a final gripe about web-servers - at least one NT web-server, when
indexing directories, happily lists sub-directories which have the hidden
attribute set.
---
G.
