You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Jake Mancuso <f0...@hotmail.com> on 1999/02/26 04:14:38 UTC
general/3969: cgi-bin directory is wold readable, causing, when the right cgi's are in place, a root compromise of the entire system
>Number: 3969
>Category: general
>Synopsis: cgi-bin directory is wold readable, causing, when the right cgi's are in place, a root compromise of the entire system
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Feb 25 19:20:01 PST 1999
>Last-Modified:
>Originator: f0bic@hotmail.com
>Organization:
apache
>Release: Apache 1.2.4 ( ntx enhanced server - referer/agent 1.0d6 )
>Environment:
Apache/1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ) running on BSD/OS
>Description:
I send the following mail to NTX.net, the company that adapted Apache 1.2.4 into
NTX enhanced:
---------->>
Hi,
As a security analyst, I've been studying your Apache NTX Enhanced
WebServer System. In doing this, I was trying to find holes in your security. I just wanted to let you know that I did find one.
It seems that anyone can have read access to the remote server's cgi-bin directory. This can lead to compromise of the remote machine if certain cgi's are found on the system.
I found this hole by doing a security check on one of the sites you host. The site in question is www.estock.com. By utilizing NetCraft's (www.netcraft.com) WebServer Check I noticed that www.estock.com is running Apache/1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ).
This means that this server is vulnerable to breaches in security. Properly exploited, these breaches on the cgi-level of security could lead to a root compromise of your entire system.
I would be happy to discuss this and/or other matters of security with you. I look forward to hearing from you.
Best regards,
f0bic
Spl0it Security Team
[f0bic@hotmail.com]
<<-------------
>How-To-Repeat:
www.estock.com/cgi-bin is world readable, giving adversaries the possibility of
browsing through the cgi-bin directory and finding out critical information about the system.
>Fix:
The only easy solution that I see is to chmod 700 on the cgi-bin directory
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]