![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Thu, 7 Sep 2000 11:50:46 -0400
From: "@stake Advisories" <advisories@ATSTAKE.COM>
Subject: @stake Advisory: SuSE Apache CGI Source Code Viewing (A090700-2)
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
www.cerberus-infosec.co.uk
Security Advisory
Release Date: 09/07/2000
Application: Apache 1.3.9/12
Platform: SuSE Linux 6.3 and 6.4
Severity: An attacker can gain access to source code of
CGI scripts. As such they may be able to discover
user IDs and passwords, analyze business logic
and examine scripts for weaknesses.
Author: mnemonix (dlitchfield@atstake.com)
Vendor Status: Vendor has updated distribution configuration files
Web: www.atstake.com/research/advisories/2000/a090700-2.txt
Overview:
The SuSE distribution of Linux (6.3 and 6.4 - earlier
distributions may also be affected) uses Apache as the web server of
choice (currently 1.3.12 with SuSE 6.4) and is installed by default. Due
to certain settings within the Apache configuration file it is possible
for an attacker to gain access to the source code of CGI scripts. Often
these scripts contain sensitive information such as user IDs and passwords
for database access and business logic. Further to this, gaining access to
the code can allow the attacker to examine the scripts for any weaknesses
that they could then exploit to gain unauthorized access to the server.
Detailed Description:
Apache reads in its configuration information from a file called
httpd.conf found in the /etc/httpd/ directory (srm.conf and access.conf
have been rolled into httpd.conf). Due to an erroneous setting in this
file it is possible to gain access to the source code of CGI scripts held
in the virtual directory /cgi-bin/. Under normal operation files in this
directory are executed on the server as opposed to being returned to the
client. The setting in httpd.conf that allows execution of CGI scripts and
sets the /cgi-bin as the script directory is:
ScriptAlias /cgi-bin/ "/usr/local/httpd/cgi-bin"
However, as well as this setting there is also another:
Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/
This line is the root of the problem. An alias, or virtual directory
called "/cgi-bin-sdb/" has been set up and maps to the same physical
location that the "/cgi-bin" has been mapped to. SuSE should have set this
up as a "ScriptAlias" rather than just an "Alias". This alias exists to
support searching through SuSE's documentation from the web server but as
it transpires the search engine uses /cgi-bin, anyway - perhaps being the
cause of the oversight. An attacker would simply substitute /cgi-bin/ for
/cgi-bin-sdb/ to gain access to the source code.
Solution:
There are two ways to approach this. Using your favourite editor,
e.g. pico or vi, edit httpd.conf. The alias can be removed by placing a #
at the front of line - thus "remming" it out:
#Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/
As the search engine uses /cgi-bin this will not break any functionality.
The other way of resolving this issue would be to change "Alias" to
"ScriptAlias" so the line would read:
ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/
By doing this CGI scripts would now be executed. After making these
changes stop and restart the server.
Vendor Response:
SuSE has updated the Apache distribution package. More information can
be found at http://www.suse.de/de/support/security/
For more advisories: http://www.atstake.com/research/index.html
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBObe21lESXwDtLdMhEQJajwCg8kYY9NZH7zKaXRYRtTp0kVAcY5kAn3Cs
cRQt/QyJI1Ol8KtGkeYg60vM
=3+wu
-----END PGP SIGNATURE-----