Tutorial - HTTP CGI Information

HTTP CGI Gives Information

Updated 3/7/03

Impact

If a malicious user is able to exploit this vulnerability, he or she may be able acquire information about the web server and system settings of the exploited system. In certain circumstances, an attacker may even be able to gather information about user accounts on the affected system. A malicious user may then be able to gain unauthorized access to the system using this information. (Remember, an attacker's best weapon is knowledge!) For example, if an attacker is able to learn information about the operating system of the target, he or she will then be able to gear certain attacks (such as buffer overflows) towards that specific operating system.

Background

The HyperText Transport Protocol (HTTP) allows a client to access HTML pages and other web applications using a web browser. HTTP servers contain programs called CGI scripts which perform functions on the server at the request of the client (when a form is submitted, for example) and transmit results to the client's browser in the form of an HTML page.

The Problems

Various programs which may be installed with certain Web servers are vulnerable to exploitation by hackers. These include:

test-cgi:
CVE 1999-0070

When an Apache web server is installed, the test-cgi program is installed by default. The installation of this program creates a security hole on the system, as it indiscriminately gives out various system information, such as the directory in which the Web server resides, the OS of the system and even the directory structure of the system. There are some versions of the test-cgi program which are not vulnerable to probing by a malicious user, and, of course, there are some versions which are. To determine if your version of test-cgi is vulnerable, use any standard text-editor (such as vi) to view the body of the program (which is written in standard shell script). If it contains the line of text found below, it is indeed vulnerable to probing by a malicious user:

echo QUERY_STRING = $QUERY_STRING

If the test-cgi program is present in the Web server's /cgi-bin directory, it may be accessed and exploited using any Web browser. A hacker would simply have to type in the URL below to gain information about the target system:

http://hostname/cgi-bin/test-cgi?/*

dumpenv.pl:

This program, written in perl, displays general environment information about the system on which a Web server resides. This information may include the version of Web server software being used, path information and information about the system's directory settings.

nph-test-cgi:
CVE 1999-0045

By passing the proper arguments to this program, using any Web browser, a hacker may be able to read the contents of various directories on the target system (regardless of any security settings).

wwwboard.pl:
CVE 1999-0953

Older versions of wwwboard.pl scripts do not perform URL checking before accepting input. If a hacker passes the proper parameters to this particular program (via a form), he or she may be able to remove lists, corrupt various files and wreak general chaos on the Web-based message board. If the wwwboard.pl program is present on the system, you will be notified of this fact, although not all versions of the program contain this vulnerability.

wrap:
CVE 1999-0149

The HTTP (or Web) server shipped with IRIX 6.x comes installed with a perl script named wrap. A hacker may use this program to view a listing of any directory on the target system with a mode setting of 755, which is, in standard UNIX notation, "--rwxr-xr-x". This means that the directory will have read, write and & execute permissions at the user level and read and execute permissions for the group and world levels. The wrap program is part of the Outbox subsystem installed by default with the HTTP server (beginning with IRIX version 6.2). This vulnerability is often exploited as an information gathering tool in conjunction with the other vulnerabilities discussed in this tutorial.

finger:

The finger CGI is a program which uses the finger binary to display information about user accounts on a system (this is done via the Web server). This information may contain such things as the type of shell associated with user accounts, login names, last login date and other information a hacker might find useful. This information, if released, might well prove invaluable to a hacker attempting to gain unauthorized access to a target system.

ndsobj.nlm:
8/27/01
This script is part of the NetWare Enterprise Web Server 5.1. If NDS browsing over the web is enabled, a remote attacker could use the script to gather user names, group names, and other system information.

ofcscan.ini:
10/24/01
CAN 2001-1151
This is the configuration file for Trend Micro OfficeScan and Virus Buster Corporate Editions. Due to inadequate access control to the /officescan/hotdownload virtual directory, it is possible for a remote attacker to read this file, revealing configuration information and encrypted passwords which can be easily decrypted.

stronghold-info:
11/30/01
It is possible for a remote attacker to gain access to configuration information, a list of requests made to the server, and other sensitive information on a Red Hat Stronghold server using the following two requests:

http://target/stronghold-info
http://target/stronghold-status

realPath.jsp, source.jsp, pageInfo.jsp:
6/4/02
These scripts are part of the Apache Tomcat Java Servlet package. A variety of vulnerabilities in these and other sample scripts could allow a remote attacker to view directory listings, physical path names, and Java debugging information that could be useful in planning an attack.

CVE 2000-1210
Additionally, older versions of source.jsp have a directory traversal vulnerability which could reveal any file on the system.

DefaultServlet:
9/27/02
CAN 2002-1148
The default servlet (org.apache.catalina.servlets.DefaultServlet) is part of the Apache Tomcat Java Servlet package. A vulnerability in this servlet could allow a remote attacker to view source code, which could reveal passwords, the directory structure, or other sensitive information which could be used to plan a subsequent attack. Tomcat 4.0.4 and 4.1.10 (and probably all other earlier versions also) are vulnerable.

phpinfo.php:
12/31/02
This script is part of Mambo Site Server. It could reveal sensitive information, such as full physical path names and PHP settings.

messages:
3/7/03
The Axis webcam system includes a web-based administrative interface. When the server receives a request for http://server/support/messages, it returns the contents of the /var/log/messages file, which could contain sensitive information about the operating system. Additional vulnerabilities could allow an attacker to create or overwrite arbitrary files.

Resolutions

test-cgi:

The best solution for this vulnerability is to remove the test.cgi program!. If this is not feasible, simply add quotes to the offending line (see the example below).

echo QUERY_STRING = "$QUERY_STRING"

dumpenv.pl:

It is highly recommended that you remove the dumpenv.pl: program from your Web server's /cgi-bin directory. At the very least, you should set some type of access restrictions for this particular program. You may wish to, for example, place the program in a password protected directory. For further protection, you may also wish to restrict which IP addresses may access this program (for information on how to enable password and IP address restrictions, see your Web server's documentation).

nph-test-cgi:

To eliminate this vulnerability, tt is we recommend that you remove this program from the /cgi-bin directory.

wwwboard.pl:

The fix for this vulnerability is to download and install the latest version of wwwboard.pl. Or, if this particular program is not being used, simply remove it from your Web server's /cgi-bin directory.

wrap:

A patch has been issued by Silicon Graphics which corrects the problems found in this program. If the patch cannot be installed, you may apply one of the following workarounds:

1. Change the permissions on the /cgi-bin/wrap:

Become root user (superuser) /bin/su
/bin/chmod 400 /var/www/cgi-bin/wrap
exit

2. Remove the Outbox Software

Become root user /bin/su
Remove the vulnerable packages /usr/sbin/versions -v remove outbox
exit

finger:

If the script is not being used, we strongly recommend that you remove it from the Web server's /cgi-bin directory.

ndsobj.nlm:

A fix for this script has not yet been released. To mitigate the impact of the vulnerability, disable the NDS browser by performing the following steps from the WEBMGR utility:

Click File.
Click Select Server and select the appropriate server.
Select the \WEB directory on the drive that is mapped to the server and click OK.
Uncheck the Enable NDS browsing check box and click OK.
Click Save and Restart.
Enter the Web Server password and click OK.

Alternately, you can remove Public read access from the root of the NDS trees, which will keep everyone, including internal non-authenticated users, from browsing your internal trees.

ofcscan:
A patch is available for Virus Buster. A fix for OfficeScan has not been released at this time, but the problem may be fixed in a future version. Upgrade to a version higher than 3.53 if available.

stronghold-info:
Upgrade to Stronghold 3.0 build 3015.

realPath.jsp, source.jsp, pageInfo.jsp:
Delete these scripts and any other scripts in the test or samples directories which are not needed.

DefaultServlet:
Upgrade to the latest version of Tomcat. Otherwise, there are two separate workarounds which need to be applied to protect against two variants of this vulnerability:

Apply one of the following:
- Tomcat with HTTP server front-end:
  - Filter all requests with the pattern */servlet/ org.apache.catalina.servlets.DefaultServlet*
  - If you are using mod_jk to connect Tomcat to the front-end server, map to Tomcat only the URLs that are part of your application. See the usage of JkMount directive.
- Standalone Tomcat: Disable all direct calls to the DefaultServlet in the web.xml configuration file.
Apply one of the following:
- Disable the invoker servlet in the $CATALINA_HOME/conf/web.xml file by removing the following lines:
```
<servlet-mapping>
      <servlet-name>invoker</servlet-name>
      <url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
```
- If running any Tomcat 4.0.x release, unzip the patch in the $CATALINA_HOME directory. This will create a new web.xml file which contains a workaround.

You may also want to examine an alternative workaround in the Tomcat FAQ at jGuru.

phpinfo.php:
This is just one of several potential problems in Mambo Site Server 4.0.11 and earlier. Download and install all security patches for versions 3.0.7 through 4.0.11, or upgrade to the 4.0.12 stable release when it becomes available.

messages:
No vendor patch has been released at the time of this writing. It would be advisable to block access to the web interface at the network perimeter.

Where can I read more about this?

You may read more about the test-cgi vulnerability at L0pht/@stake's Test-cgi Vulnerability page. Also, you may read more about dumpenv.pl at Alberta University's Dump Environment page.

For more information about the nph-test-cgi vulnerability, please read CERT Advisory 97.07.

A good discussion of the wwwboard.pl problem may be found in Bugtraq. The ndsobj.nlm problem was posted to VulnWatch. The ofcscan.ini problem was reported in SNS Advisory 44. You may read more about the wrap vulnerability in CIAC Bulletin H-102. The Red Hat Stronghold vulnerability was reported in Vigilante advisory 2001002.

The Tomcat vulnerability regarding .jsp scripts in test/samples directories was reported in ProCheckUp Security Bulletins 02-05, 02-06, and 02-07. The Tomcat DefaultServlet vulnerability was reported in Bugtraq. It is also discussed in the news section of Apache Jakarta.

More information on phpinfo.php and other vulnerabilities in Mambo Site Server can be found in Bugtraq.

The vulnerability in Axis webcams was reported in Bugtraq.