You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Jake Mancuso <f0...@hotmail.com> on 1999/02/26 04:14:38 UTC

general/3969: cgi-bin directory is wold readable, causing, when the right cgi's are in place, a root compromise of the entire system

>Number:         3969
>Category:       general
>Synopsis:       cgi-bin directory is wold readable, causing, when the right cgi's are in place, a root compromise of the entire system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Feb 25 19:20:01 PST 1999
>Last-Modified:
>Originator:     f0bic@hotmail.com
>Organization:
apache
>Release:        Apache 1.2.4  ( ntx enhanced server - referer/agent 1.0d6 )
>Environment:
Apache/1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ) running on BSD/OS
>Description:
I send the following mail to NTX.net, the company that adapted Apache 1.2.4 into
NTX enhanced:

---------->>

Hi,

As a security analyst, I've been studying your Apache NTX Enhanced
WebServer System. In doing this, I was trying to find holes in your security. I just wanted to let you know that I did find one.

It seems that anyone can have read access to the remote server's cgi-bin directory. This can lead to compromise of the remote machine if certain cgi's are found on the system. 

I found this hole by doing a security check on one of the sites you host. The site in question is www.estock.com. By utilizing NetCraft's (www.netcraft.com) WebServer Check I noticed that www.estock.com is running Apache/1.2.4 ( ntx enhanced server - referer/agent 1.0d6 ).

This means that this server is vulnerable to breaches in security. Properly exploited, these breaches on the cgi-level of security could lead to a root compromise of your entire system.

I would be happy to discuss this and/or other matters of security with you. I look forward to hearing from you. 

Best regards,

f0bic
Spl0it Security Team
[f0bic@hotmail.com]

<<-------------

>How-To-Repeat:
www.estock.com/cgi-bin is world readable, giving adversaries the possibility of
browsing through the cgi-bin directory and finding out critical information about the system.
>Fix:
The only easy solution that I see is to chmod 700 on the cgi-bin directory
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]