[3592] in WWW Security List Archive
Re: test-cgi
daemon@ATHENA.MIT.EDU (htorgema@novice.uwaterloo.ca)
Tue Nov 19 21:24:37 1996
From: htorgema@novice.uwaterloo.ca
Date: Tue, 19 Nov 1996 19:20:10 -0500 (EST)
Reply-To: htorgema@novice.uwaterloo.ca
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.961118131107.9467A-100000@sol.star.bris.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 18 Nov 1996, Steff Watkins asked:
> On Sun, 17 Nov 1996 htorgema@novice.uwaterloo.ca wrote:
>
> > Some versions of NCSA and Apache have corrected the QUERY_STRING line, but
> > not the CONTENT_TYPE nor the CONTENT_LENGTH line, while these datas can be
> > easily spoofed ( see example below ).
> > In fact, the CONTENT_TYPE line is potentially more 'dangerous' than the
> > QUERY_STRING line because usually, http deamons don't log this field.
> >
> > > Example exploit:
> > >
> > > machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80
> >
> > or:
> >
> > machine% telnet www.host.com 80
> > GET /cgi-bin/test-cgi HTTP/1.0
> > Contentq-type: /*
> >
> > <Cgi output displayed here>
>
> Hello,
>
> excuse my ignorance but......
>
> What possible 'security' risk could there be in setting the CONTENT_TYPE
> (or CONTENT_LENGTH) variables???
The problem is that the script test-cgi ( and probably many others )
doesn't protect itself from these variables.
The line
echo Content-length = $CONTENT_LENGTH
seems ok, but it is not: If the CONTENT_LENGTH variable contains *,
then the line will be interpreted as
echo Content-length = *
The * will be replaced by a list of file in the current directory.
Now why is it dangerous?
Because it allows anybody to browse remotely the content of a filesystem,
and to find some known buggy files.
A trivial example is to look at the cgi-bin directory to search for some
more buggy cgi scripts ( like phf ).
Another big problem is that these actions will not be logged by the http
deamon. That means that if your test-cgi file is not protected adequately,
your filesystem may have already been browsed, and you have no clue.
---------------
Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
Never let your sense of morals prevent you from doing what is right.
-- Salvor Hardin, "Foundation"
