-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-97.07 Original issue date: February 18, 1997 Last revised: February 21, 1997 Corrected organization names in acknowledgements. Topic: Vulnerability in the httpd nph-test-cgi script - ----------------------------------------------------------------------------- Because of ongoing activity relating to a vulnerability in the nph-test-cgi script included with some http daemons, the CERT Coordination Center staff is issuing this recommendation to check your cgi-bin directory. By exploiting this vulnerability, users of Web clients can read a listing of files they are not authorized to see. The CERT/CC team recommends removing the script from your system and checking Appendix A of this advisory for information provided by vendors. We also urge you to read CERT advisory CA-96.06.cgi_example_code for another CGI-related vulnerability that continues to be exploited. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. - ----------------------------------------------------------------------------- I. Description A vulnerability in the nph-test-cgi script included with some http daemons makes it possible for the users of Web clients to read a listing of files they are not authorized to read. This script is designed to display information about the Web server environment, but it parses data requests too liberally and thus allows a person to view a listing of arbitrary files on the Web server host. II. Impact By exploiting this vulnerability, remote users can read a listing of files they are not authorized to read. Access to an account on the system is not necessary. III. Solution We recommend removing or disabling the nph-test-cgi script (see Sec. A). If you must keep the script, follow the suggestion in Sec. B. All readers should also check Appendix A for information supplied by vendors. A. Remove or disable the script Some World Wide Web servers include this script by default, but it is possible that some sites have installed this script manually. Therefore, we encourage all sites to check whether they have this script by searching for the file nph-test-cgi in the cgi-bin directory associated with their web server. If you find the script, we urge you to either remove the program itself or remove the execute permissions from the program. The nph-test-cgi program is not required to run httpd successfully. Also note that a web server may have multiple cgi-bin directories. It is not sufficient to look in the regular location only. For example, in the NCSA HTTPd server, you can specify alternate locations for the scripts by setting the ScriptAlias directive in the srm.conf file. See your vendor's documentation to learn if your sever provides this feature. If you are using this feature, you need to remove the nph-test-cgi script or apply the workaround below in every cgi-bin directory. B. Modify existing scripts If you must continue to use this test-cgi script, then we encourage you to search for lines of code that echo variables and ensure that the variable string to be echoed is quoted. For instance, lines of the form: echo QUERY_STRING = $QUERY_STRING should read echo QUERY_STRING = "$QUERY_STRING" C. Vendor Information Please check Appendix A for information supplied by vendors; we will update the appendix as we receive additional information. If you do not see your vendor's name, then we did not hear from that vendor. Please contact the vendor directly. Note: Even if your vendor did not ship the nph-test-cgi script, you should check your cgi-bin directory in case someone at your site added such a script later. IV. Additional Reading Several resources relating to Web security in general are available. The following resources provide a useful starting point. They include links describing general WWW security, secure httpd setup, and secure CGI programming. The World Wide Web Security FAQ: http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html NSCA's "Security Concerns on the Web" Page: http://hoohoo.ncsa.uiuc.edu/security/ The following book contains useful information, including sections on secure programming techniques. _Practical Unix & Internet Security_, Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996. (Note that we provide these pointers for your convenience. As this is not CERT/CC material, we cannot be responsible for content or availability. Please contact the administrators of the sites if you have difficulties with access.) ........................................................................... Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Apache ===== The latest version of Apache, 1.1.3, does not contain the nph-test-cgi cgi-script. The test-cgi script included with Apache 1.1.3 does contain the filename globbing bug, but does not ship enabled by default. Apache-SSL ========== The current version of Apache-SSL is against 1.1.1, and so does not suffer from this problem. Also, Apache-SSL is distributed as patches to Apache, and so does not, in itself, contain any CGI scripts. Stronghold ========== Stronghold 1.3.4 ships with no pre-installed CGI scripts. Microsoft ========= With regard to NT/IIS we don't ship the script referenced. Also see recommendations at http://www.microsoft.com/intdev and http://www.microsoft.com/pdc National Center for Supercomputing Applications =============================================== The NCSA(tm) HTTPd comes with a variety of test cgi scripts, including nph-test-cgi. Also included are test-cgi, test-cgi.tcl, and test-env. These test scripts are readily identified by the word "test" in their names. They have been provided at the request of our web server community to test the server installation and facilitate the development of cgi scripts. When working perfectly they provide private information about the server and cgi environment. Test cgi programs are not intended to be left on an operational server. If using the NCSA HTTPd server for operational use, many configuration issues must be addressed. Among those issues is the use of cgi scripts. No script should be run on a server that has not been carefully reviewed. This is especially true for the test scripts, which were never intended to be left on an operational server. Users of NCSA HTTPd should be running the most current version (1.5.2a) to ensure that security patches are implemented. Test cgi scripts should be removed from cgi-bin directories before putting a server in operational use. Please see http://hoohoo.ncsa.uiuc.edu/security for further details on securely installing the NCSA HTTPd server. To report security vulnerabilities in NCSA products, email the NCSA Incident Response and Security Team (irst@ncsa.uiuc.edu). NCSA is a trademark of the University of Illinois Board of Trustees. - ----------------------------------------------------------------------------- The CERT Coordination Center thanks David Kennedy of the National Computer Security Association, Ken Rowe of the NCSA(tm) IRST, and Josh Richards for providing information about this problem. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history February 21, 1997 Acknowledgements - corrected organization names. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMw4EFHVP+x0t4w7BAQG/awQAz/0bxgpFffdWh9FVMM8Fp9J45swP+/ZS LY4ujfQVm5n8Qibxhy8Vk4ZhCRLO7pPE7X9PRuSm8MQF2ZWirttHhdVs1eK/8WrA +HSo+Y1HXoybDr7wN7Sprn0d4ss5xM/VQHDsmOTtikq+FHEq6CvBf+2J8gqygFU1 HOYspVfMQ9E= =qGBy -----END PGP SIGNATURE-----