![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 8 Feb 2000 12:49:04 +0000 From: Julian Midgley <jmidgley@ZEUSTECHNOLOGY.COM> Subject: Zeus Web Server: Null Terminated Strings To: BUGTRAQ@SECURITYFOCUS.COM This morning Zeus Technology Limited was informed of a serious security bug in the Zeus Webserver by 'The Relay Group' (http://relaygroup.com). This document describes the scope of the problem and its solution. Versions affected ----------------- Zeus 3.1.x / 3.3.x Severity -------- High- this bug allows the contents of CGI scripts to be read by a remote client, if the scripts are run with the CGI module's "allow CGIs anywhere" option enabled. It does not affect CGIs run from designated directories (cgi-bins). Nonetheless, we recommend that all customers upgrade to Zeus 3.3.5a- see below for further details. Description ----------- Requests for URLs which contains the text '%00' are decoded to contain a null-terminator. This means that files can be accessed via URLs that are not access controlled, allowing files that are *inside* the document root to be retrieved. For example, if you run a webserver with the 'allow CGI anywhere' option, and have a Perl CGI script inside the document root accessible as 'http://mysite/script.cgi' then a request for 'http://mysite/script.cgi%00' will cause the webserver to return the Perl source of the CGI script to the client. This happens because the mime-type of '.cgi\0' does not map to 'application/x-httpd-cgi', so is instead served by the get module as 'text/plain'. The webserver will ask the OS for the file 'script.cgi\0\0', and due to the zero-terminated string interface of Unix, the OS will actually open 'script.cgi\0' instead of returning a "file-not-found" error. Problem Solution ---------------- We have fixed the problem in the latest version of Zeus (3.3.5a) now available for all 14 platforms from our ftp site ftp://ftp.zeustechnology.com/pub/products/z3. This version will report itself as '3.3.5a' and also display today's (8th Feb) date on startup. Download the distribution for your platform, untar it, and run './zinstall --force' and it will seamlessly upgrade your running server to the fixed release. -- Julian Midgley Tel: +44 1223 525000 Technical Services Manager Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeustechnology.com Newton House, Cambridge Business Park, Cambridge. CB4 OWZ. England