[9055] in bugtraq
test-cgi - Re: HTTP REQUEST METHOD flaw
daemon@ATHENA.MIT.EDU (monti)
Wed Jan 13 15:17:15 1999
Date: Wed, 13 Jan 1999 10:12:13 -0600
Reply-To: monti <monti@NETURAL.COM>
From: monti <monti@NETURAL.COM>
To: BUGTRAQ@NETSPACE.ORG
At least one exploitable application for throwing arbitrary characters
into an HTTP request method is good old "test-cgi".
The suggested (and from what I have seen on most systems, typical) fix
for the origianl bug in this script was to put the "QUERY_STRING" variable
in test-cgi in quotes to prevent its use for listing files.
With mnemonix's post regarding the REQUEST METHOD's "feature", many users
are re-exposed to the test-cgi problem, as the "REQUEST_METHOD" variable
remains un-quoted in the following shell command:
echo REQUEST_METHOD = $REQUEST_METHOD
Instead of using "*" or a pathname followed by "*" as an argument to
test-cgi as in:
GET /cgi-bin/test-cgi?* HTTP/1.0
An attacker could use something like the following"
* /cgi-bin/test-cgi HTTP/1.0
to see contents of /cgi-bin directory of web-root
or
/* /cgi-bin/test-cgi HTTP/1.0
to see contents of the system's root /
or whatever absolute or relative path from the webserver's cgi-bin.
This was tested on version 1.3b6 of Apache.
The fix is to surround all of the variables in test-cgi (and any other
variations of test-cgi, such as nph-test-cgi, that may be present) in
quotes.
If there is a moral to this story, it is yet another warning about cgi
programming and scripting; Protect *any* data that can be supplied by the
user from overflow and/or unwanted interpretation in your application
including variables that may not necessarily be directly user-supplied.
The original test-cgi advisory can be found in the bugtraq archives at
http://www.geek-girl.com/bugtraq
-Eric Monti
