When an Apache web server is installed, the test-cgi program is installed by default. The installation of this program creates a security hole on the system, as it indiscriminately gives out various system information, such as the directory in which the Web server resides, the OS of the system and even the directory structure of the system. There are some versions of the test-cgi program which are not vulnerable to probing by a malicious user, and, of course, there are some versions which are. To determine if your version of test-cgi is vulnerable, use any standard text-editor (such as vi) to view the body of the program (which is written in standard shell script). If it contains the line of text found below, it is indeed vulnerable to probing by a malicious user:
If the test-cgi program is present in the Web server's /cgi-bin directory, it may be accessed and exploited using any Web browser. A hacker would simply have to type in the URL below to gain information about the target system:
dumpenv.pl:
This program, written in perl, displays general environment information about the system on which a Web server resides. This information may include the version of Web server software being used, path information and information about the system's directory settings.
By passing the proper arguments to this program, using any Web browser, a hacker may be able to read the contents of various directories on the target system (regardless of any security settings).
Older versions of wwwboard.pl scripts do not perform URL checking before accepting input. If a hacker passes the proper parameters to this particular program (via a form), he or she may be able to remove lists, corrupt various files and wreak general chaos on the Web-based message board. If the wwwboard.pl program is present on the system, you will be notified of this fact, although not all versions of the program contain this vulnerability.
The HTTP (or Web) server shipped with IRIX 6.x comes installed with a perl script named wrap. A hacker may use this program to view a listing of any directory on the target system with a mode setting of 755, which is, in standard UNIX notation, "--rwxr-xr-x". This means that the directory will have read, write and & execute permissions at the user level and read and execute permissions for the group and world levels. The wrap program is part of the Outbox subsystem installed by default with the HTTP server (beginning with IRIX version 6.2). This vulnerability is often exploited as an information gathering tool in conjunction with the other vulnerabilities discussed in this tutorial.
finger:
The finger CGI is a program which uses the finger binary to display information about user accounts on a system (this is done via the Web server). This information may contain such things as the type of shell associated with user accounts, login names, last login date and other information a hacker might find useful. This information, if released, might well prove invaluable to a hacker attempting to gain unauthorized access to a target system.
ndsobj.nlm:
8/27/01
This script is part of the NetWare Enterprise Web Server 5.1.
If NDS browsing over the web is enabled, a remote attacker
could use the script to gather user names, group names, and
other system information.
ofcscan.ini:
10/24/01
CAN 2001-1151
This is the configuration file for Trend Micro
OfficeScan and Virus Buster Corporate Editions. Due to
inadequate access control to the /officescan/hotdownload
virtual directory, it is possible for a remote attacker to
read this file, revealing configuration information and
encrypted passwords which can be easily decrypted.
stronghold-info:
11/30/01
It is possible for a remote attacker to gain access to configuration
information, a list of requests made to the server, and other
sensitive information on a Red Hat Stronghold server using the
following two requests:
http://target/stronghold-info http://target/stronghold-status
realPath.jsp, source.jsp, pageInfo.jsp:
6/4/02
These scripts are part of the Apache
Tomcat Java Servlet package. A variety of vulnerabilities in
these and other sample scripts could allow a remote attacker to
view directory listings, physical path names, and Java debugging information
that could be useful in planning an attack.
CVE 2000-1210
Additionally, older versions of source.jsp have a directory traversal
vulnerability which could reveal any file on the system.
DefaultServlet:
9/27/02
CAN 2002-1148
The default servlet (org.apache.catalina.servlets.DefaultServlet) is
part of the Apache
Tomcat Java Servlet package. A vulnerability in this servlet could
allow a remote attacker to view source code, which could reveal passwords, the directory structure, or other sensitive
information which could be used to plan a subsequent attack. Tomcat 4.0.4 and 4.1.10
(and probably all other earlier versions also) are vulnerable.
phpinfo.php:
12/31/02
This script is part of Mambo Site Server.
It could reveal sensitive information, such as full
physical path names and PHP settings.
messages:
3/7/03
The Axis webcam
system includes a web-based administrative interface.
When the server receives a request for
http://server/support/messages,
it returns the contents of the /var/log/messages
file, which could contain sensitive information about the
operating system. Additional vulnerabilities could allow
an attacker to create or overwrite arbitrary files.
The best solution for this vulnerability is to remove the test.cgi program!. If this is not feasible, simply add quotes to the offending line (see the example below).
echo QUERY_STRING = "$QUERY_STRING"
dumpenv.pl:
It is highly recommended that you remove the dumpenv.pl: program from your Web server's /cgi-bin directory. At the very least, you should set some type of access restrictions for this particular program. You may wish to, for example, place the program in a password protected directory. For further protection, you may also wish to restrict which IP addresses may access this program (for information on how to enable password and IP address restrictions, see your Web server's documentation).
nph-test-cgi:
To eliminate this vulnerability, tt is we recommend that you remove this program from the /cgi-bin directory.
wwwboard.pl:
The fix for this vulnerability is to download and install the latest version of wwwboard.pl. Or, if this particular program is not being used, simply remove it from your Web server's /cgi-bin directory.
wrap:
A patch has been issued by Silicon Graphics which corrects the problems found in this program. If the patch cannot be installed, you may apply one of the following workarounds:
1. Change the permissions on the /cgi-bin/wrap:
finger:
If the script is not being used, we strongly recommend that you remove it from the Web server's /cgi-bin directory.
ndsobj.nlm:
A fix for this script has not yet been released. To mitigate the impact of the vulnerability, disable the NDS browser by performing the following steps from the WEBMGR utility:
ofcscan:
A patch is
available for Virus Buster. A fix for OfficeScan has not been
released at this time, but the problem may be fixed in a future
version. Upgrade to a version higher than 3.53 if available.
stronghold-info:
Upgrade to Stronghold 3.0 build 3015.
realPath.jsp, source.jsp, pageInfo.jsp:
Delete these scripts and any other scripts in the
test or samples directories
which are not needed.
DefaultServlet:
Upgrade
to the latest version of Tomcat.
Otherwise, there are two separate workarounds which need to
be applied to protect against two variants of this
vulnerability:
<servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping>
phpinfo.php:
This is just one of several potential problems in
Mambo Site Server 4.0.11 and earlier.
Download and install
all security patches for versions 3.0.7 through 4.0.11, or
upgrade to the 4.0.12 stable release when it becomes
available.
messages:
No vendor patch has been released at the time of this
writing. It would be advisable to block access to the
web interface at the network perimeter.
For more information about the nph-test-cgi vulnerability, please read CERT Advisory 97.07.
A good discussion of the wwwboard.pl problem may be found in Bugtraq. The ndsobj.nlm problem was posted to VulnWatch. The ofcscan.ini problem was reported in SNS Advisory 44. You may read more about the wrap vulnerability in CIAC Bulletin H-102. The Red Hat Stronghold vulnerability was reported in Vigilante advisory 2001002.
The Tomcat vulnerability regarding .jsp scripts in test/samples directories was reported in ProCheckUp Security Bulletins 02-05, 02-06, and 02-07. The Tomcat DefaultServlet vulnerability was reported in Bugtraq. It is also discussed in the news section of Apache Jakarta.
More information on phpinfo.php and other vulnerabilities in Mambo Site Server can be found in Bugtraq.
The vulnerability in Axis webcams was reported in Bugtraq.